TechFlow News: On April 21, Bybit’s Security Operations Center discovered a multi-stage malware campaign targeting macOS users of Claude Code, an AI-powered search and development tool.
The attackers used search engine optimization (SEO) poisoning to push malicious domains to the top of Google search results, luring users to counterfeit installation pages. Once accessed, these pages stole browser credentials, macOS Keychain data, Telegram sessions, VPN configurations, and cryptocurrency wallet information.
Bybit stated that the malware can also establish persistent access via backdoor programs and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and related analysis, mitigation, and detection measures were completed the same day.
