TechFlow news: On March 30, GoPlus Security disclosed that a credential-stealing malware named “Infiniti Stealer” is targeting Mac users’ cryptocurrency wallets and sensitive credentials via a social engineering attack dubbed “ClickFix.”
Attackers impersonate highly realistic Cloudflare CAPTCHA pages to trick users into opening Terminal and manually pasting and executing malicious commands. Upon execution, the script removes macOS’s quarantine attribute and silently writes subsequent payloads to the /tmp directory for background execution. The final payload is a native macOS binary compiled with Nuitka, significantly increasing detection difficulty for security tools.
Once deployed, Infiniti Stealer can steal credentials from Chromium/Firefox browsers, macOS Keychain, cryptocurrency wallets, and developer key files (e.g., .env files), and features sandbox detection and delayed execution capabilities to evade tracking.
