I used to think that MacBooks were relatively safer than other laptops, but I’ve been proven wrong. Embarrassing and demonstrably wrong. A new report from Sophos
Researchers at the company tracked three separate attack campaigns between November 2025 and February 2026, all targeting macOS users using the so-called MacSync infostealer. For those who don’t know, it is a type of malware that secretly scans your passwords and saved credentials and acts like a digital pickpocket.
How does it actually work?
The malware used a delivery method called ClickFix, which requires minimal technical effort. To do this, victims simply need to copy and paste a command into their Mac’s terminal (for running and executing text-based commands) and press Enter on the keyboard.
First, malicious actors used fake OpenAI download pages distributed via sponsored ads on Google (directly above the legitimate link). Then they got even more creative: Attackers started sharing backend ChatGPT conversations disguised as “helpful Mac guides.”
These guides led users to fake GitHub pages that contained carefully crafted software installation instructions. But in reality, they asked users to copy a terminal command so that the ManSync infostealer could work in the background. That’s it; That’s the whole attack.
How bad has it gotten?
Sophos found that malicious actors redirected more than 50,000 clicks to such malicious domains through December 2025 alone. A “click” means someone copied the malicious terminal command, but not necessarily that the malware was successfully installed; the actual number of infections could be lower.
The developers gave their attack method another twist in February 2026, allowing it to run silently in the background and bypass the competent macOS security tools such as Gatekeeper and XProtect. It can patch the 24-word master key of your Ledger crypto wallet in a very real way.
The company reports that infection clusters in key markets, including parts of North and South America and India, were already active weeks before the article was published (possibly in late/early March).
Furthermore, the idea that “Macs are safe” is not true, at least for now. As AI platforms become more popular and, more importantly, gain the trust of millions of users, malicious actors are inventing new ways to use the LLM-driven tools to their advantage. For now, I advise you not to paste text-based commands into your Mac’s Terminal.
