In the first 6 months of 2026, attackers didn’t invent anything new—they simply got much better at using what already worked. This has changed the security landscape, as a single signature scan is no longer enough to keep Mac machines protected. From MacPaw’s Moonlock Lab, here’s what the tracking of macOS threats revealed in the first half of the year.
Key points
Let’s start with a breakdown of what we learned in the first half of 2026:
- Mac malware used to get less scrutiny, thanks to the assumption that criminals targeted Windows more. That assumption no longer holds up. Campaigns run in parallel (same servers, same domains, same dropper, same operator), just with a different binary. And any Mac incident becomes a candidate for a cross-platform follow-up attack.
- Cybercriminals actively learn from state-sponsored threat groups. LinkedIn recruitment lures, fake in-call fixes, fileless execution built to dodge detection—all of it originated in North Korean operations, and now, it’s widely used in criminal kits, often improved beyond the original versions.
- ClickFix, a method to trick a victim into running malware themselves, remains the dominant initial access method, and it survived Apple’s countermeasure within weeks of release.
- Targeting is concentrated on cryptocurrency holders and software developers. A developer’s package-publishing access can turn one compromise into an infection for hundreds of thousands of downstream users in a single step.
- Even as security research tools like VirusTotal show stealer samples growing sharply on macOS, adware still accounts for the largest share of actual detections. Cybercriminals are reaching for new tricks and technologies to build innovative malware. Meanwhile, old adware tricks still work on Mac users.
So, what does this mean for the remainder of 2026? And how can Mac users stay safe in the current threat landscape?
Don’t underestimate Mac malware
Campaign after campaign in the first half of 2026 ran parallel macOS and Windows payloads against the same victims on the same timeline: shared C2 infrastructure, shared delivery chains, and shared operator cadence.
The fake VC operation, which Moonlock documented in March, served macOS and Windows builds from a single server assigned by URL parameter. The DPRK-attributed UNC1069 intrusion that Mandiant reported in February deployed 7 macOS malware families alongside Windows tooling in a single engagement.
Any team capable of Windows coverage in 2026 has macOS coverage. The platforms are no longer separate threat surfaces. Treating them as such is an analyst’s mistake, not a threat-actor constraint.
Tricks used by state-sponsored threat groups go mainstream
DPRK-attributed operations spent years developing techniques that are now in use as commodities: JXA fileless delivery, DNS TXT-record dynamic C2, recruitment-themed LinkedIn funnels, and cryptocurrency wallet hijacking via Electron app.asar replacement. These techniques are in the public record. And they are covered in enough detail that a competent criminal team can reconstruct and improve them selectively.
Multiple criminal campaigns in the first half of 2026 followed suit. They borrowed from the BlueNoroff and Lazarus playbooks while adding improvements that have no prior nation-state precedent. For malware research, attribution based on technique overlap alone is no longer comprehensive enough.
Malware by the numbers: Volume, harm, and everything in between
Through 2025, Moonlock recorded a 67% rise in new macOS backdoor variants and a 17% rise in stealer variants, with campaigns reaching more than 80 countries. The first half of 2026 continues in that trajectory.
Moonlock Engine’s endpoint telemetry for the half-year reflects a consistent pattern. By volume, the macOS threat landing on user machines is still overwhelmingly low-severity. Adware accounts for approximately 65% of detections, while PUAs represent another 25%. Stealers, backdoors, and trojans combined are under 5% (stealers at roughly 1.7%, backdoors at 1.9%, trojans at 1.2%, and riskware at around 2%).

One AMOS, many forks
Inside stealer detections, Odyssey accounts for 62.7% of the total, distributed heavily through fake Homebrew, TradingView, and LogMeIn lures through the period. AtomicStealer (AMOS) sits at 29.8%. That number, however, requires context: AMOS operators went quiet in late 2025, but the codebase didn’t disappear with them. Odyssey is a fork of AMOS. So are several other families active in this window. Detections still collapsing into the AMOS signature reflect shared code rather than the original operators being back.
The practical consequence is that the 29.8% AMOS share is a floor, not a ceiling. Much of what falls under other family names is architecturally the same stealer with a different wrapper.
Taken together, the broader AMOS lineage accounts for more than 9 in 10 stealer detections across the period. PSW (generic password-stealers) comes in at 5.6%, Banshee at 1.1%, with DigitStealer and NovaStealer each at 0.3%.

The monthly breakdown adds context. January 2026 saw Odyssey spike to near-dominance for that month. DPRK stealers appear as a thin but persistent band throughout, a first-party confirmation that nation-state activity is landing on real machines, not just in incident reports.

Should we count droppers as stealers, too?
One caveat on stealer-layer telemetry: A meaningful share of campaigns never reach the stealer stage at all. When the dropper or stager is caught first, the stealer payload never executes, so it never appears in the stealer count. Stealer detections alone are undercounted in total campaign exposure. This is why the stager picture matters and why it tells a different story than the stealer breakdown above.

SHub.Loader accounts for 90.7% of stager detections across the period, a dominance that becomes even sharper in the monthly view. DigitStealer.Stager grew through January and February 2026. SHub.Loader then took over almost completely and held the lead from March onward. Odyssey.Stager sits at 3.4%, TinivDownloader at 1.9%, DigitStealer.Stager at 1.7%.

Adware is still the most effective trick in the book
VirusTotal’s sample-submission view shows a near-inversion: Unique malicious macOS samples grew roughly 40% year-over-year, and distinct new malware families nearly doubled.
Infostealers dominate newly submitted samples, while adware submissions have fallen sharply. That is not a contradiction. Moonlock Engine’s endpoint telemetry counts what actually runs on user machines, where high-volume adware swamps the tally. VirusTotal, meanwhile, counts unique files that researchers find are worth analyzing, where polymorphic stealers minting a fresh hash for nearly every infection inflate the count. The conclusion: Adware is everywhere, but the energy and the danger have moved to stealers.



On VirusTotal, AMOS remains the single most-submitted family, above 40% of macOS samples, though for the same reason that the 29.8% figure in our own telemetry needs context. Vendor engines routinely classify AMOS-lineage forks under the AMOS signature due to shared code. Consequently, that 40% is as much a statement about how detection logic handles the codebase as it is about AMOS, the original family.

“Apple certified” doesn’t mean safe
Code-signing abuse is now routine. Well over half of malicious Mach-O uploads were digitally signed, and roughly one-fifth carried valid or recently revoked Apple Developer certificates, which is how so much of this gets past Gatekeeper’s first prompt.

The most impersonated software as of mid-2026
In the rankings of malicious samples by the file names attackers gave them, impersonations of AI developer tools (think Claude_Code_Desktop.dmg, OpenClaw_Installer.pkg, ChatGPT_Plus_v2.dmg) now sit second only to cracked Adobe and creative-suite installers, quantifying the AI-lure shift described below. Fake corporate meeting apps (Zoom, Teams, Webex) have their own category on that list, showing the sample-data echo of the ZoomStealer prevalence in our own telemetry.

Example of the persistence trend in stealers
The notnullOSX stealer, documented by Moonlock in April, is the clearest example of a stealer that added persistence and became something new. Written in Go and obfuscated with garble, it was built around a hard rule: only target victims whose crypto holdings exceed $10,000. Operators submit a target’s social profiles and wallet address. Anything under the threshold is then rejected. This is targeting by net worth.
The delivery routes are twofold: a standard ClickFix path, and a fake Mac wallpaper app called WallSpace pushed through a YouTube channel that had lain dormant for a decade before suddenly publishing 1 video pulling 50,000 views in 2 weeks—a hijacked, repurposed account used once and then discarded.

Both routes ended at the same destination, aimed at tricking the victim into granting Full Disk Access during what looked like a normal install step. This is the mechanism behind the full collection of Messages, Notes, Safari data, and everything else that FDA covers, with no further prompts. The permission system wasn’t bypassed. The victim was simply persuaded to open the door.
Once running, notnullOSX downloads small, single-purpose modules in sequence, including iMessage history, Apple Notes, Safari cookies, crypto wallet files, browser passwords, and Telegram sessions. A developer-focused module sweeps SSH keys, cloud credentials, and package manager tokens. A separate module silently swaps installed wallet apps for trojanized copies, restoring the original icons. Unlike a conventional stealer, this one keeps a live connection to its C2 inside ordinary-looking Firebase traffic—the operator can continue queuing instructions indefinitely. Upon discovery, the main file was flagged by 10 of 64 antivirus engines, labeled as generic adware by the ones that flagged it.
This malware template represents a common theme in 2026. It’s not a smash-and-grab stealer, but a persistent, remotely controlled implant that starts with stealing.
ClickFix is the most common way in
For years, the standard Mac security advice centered on files: Don’t open the attachment, don’t run the unsigned app, and let Gatekeeper do its job. ClickFix bypasses all of that.
A ClickFix attack starts by presenting the user with a problem—a CAPTCHA to pass, a video-call audio glitch, or a document that won’t render. It then hands the user a fix: Copy this command, open Terminal, paste it, and press Enter. Because the user executes the command personally, nothing triggers the macOS security. There’s no download to be scanned. There’s no unsigned app for Gatekeeper to flag. And there’s no suspicious permission prompt. It’s just a person doing something a website told them to do.

This is effective for straightforward reasons. For one thing, the pages borrow trusted branding, such as Cloudflare, Zoom, or Google. The instructions tend to arrive through channels with higher social trust than email, such as LinkedIn introductions, calendar invites, or professional outreach. ClickFix also tends to manufacture urgency through the use of countdown timers. And the primary targets—macOS developers and crypto-adjacent users—are comfortable enough in Terminal to paste a command without reading it.
Apple’s solution for ClickFix didn’t hold for long
Apple shipped a countermeasure for ClickFix in macOS Tahoe 26.4: a warning dialog when a command copied from a browser is pasted into Terminal. Within weeks, Jamf Threat Labs discovered an effective counterattack. Campaigns were using the applescript:// URL scheme to open Script Editor directly from the browser, never touching Terminal. This means the new warning never fired. In fact, the lure pages there impersonate Apple itself, instructing users to “Reclaim disk space on your Mac,” then running curl | zsh through Script Editor’s do shell script.

Microsoft’s Digital Defense Report put ClickFix at 47% of observed initial access across 2025, continuing into 2026. Recorded Future assessed that it “will very likely remain the dominant initial access vector throughout 2026.”
AI tools became the new CAPTCHA
Through late 2025 and into 2026, ClickFix lure pages shifted from generic CAPTCHAs to AI tool impersonations. The brand on the page is interchangeable (Sora 2, Claude, Claude Code, ChatGPT, OpenClaw, etc.), but the Terminal or Script Editor copy-and-paste step at the end is the constant.
The abuse of Anthropic’s infrastructure deserves its own note. Moonlock Lab found Google Sponsored results pointing to a fake “macOS Secure Command Execution” guide published as a public Artifact on claude.ai, a trusted domain that bypasses URL scanners, Safe Browsing, and most enterprise web filters. The artifact had accumulated 16,000-plus views before detection.

In mid-May, 3 macOS stealer samples sat at 0 detections out of 72 engines a full week after upload. The lure? A fake macOS build of Codex. The samples fetched a second stage from a staging domain already seen in wider ClickFix campaigns, but the payload fingerprints matched Odyssey rather than MacSync, a traffer team renting shared distribution infrastructure while serving different stealers.

The developer’s environment is the new attack surface
Developer Macs are now high-value targets in their own right—not for what’s on them, but for where they can reach. The following are 2 examples of how that’s playing out.
Supply chain attacks
The campaigns described so far target individuals. The supply-chain pattern that emerged in the first half of 2026, however, targets the packages and tokens developers plug in automatically, reaching everyone downstream in a single operation.
The wave count through the half-year tells the story, and a single threat actor, TeamPCP, runs through most of it. The group’s campaign, which they call Shai-Hulud, operates by chaining compromises sequentially. Each foothold yields the credentials needed to hit the next target.
The cascade started with Trivy, the widely deployed open-source security scanner. TeamPCP compromised it in mid-March 2026, and from there, extracted the PyPI publishing tokens that LiteLLM’s CI pipeline was inadvertently handing over. LiteLLM, an AI API routing library with 95 million monthly PyPI downloads, had malicious versions (1.82.7 and 1.82.8) live for approximately 5 hours before detection. The payload used a .pth file, a Python mechanism that auto-executes on the interpreter start with no import required, delivering credential harvesting, Kubernetes lateral movement, and a persistent systemd backdoor. It took 5 days from the initial Trivy compromise to the LiteLLM backdoor.
TeamPCP then turned to Checkmarx’s own tooling: GitHub Actions workflows for ast-github-action and kics-github-action in March, KICS Docker images and VS Code extensions in April, and Bitwarden CLI (2026.4.0) and the Jenkins AST plugin in May. The malware sweeping through these environments specifically targeted GitHub auth tokens, AWS/Azure/GCP credentials, SSH keys, npm config files, and Claude and other MCP configuration files, a direct overlap with GhostLoader’s AI-agent credential targeting.
The timeline of these waves shows that most damage is concentrated in the first hours after a malicious version is published, before security researchers detect it, before registries respond, and before advisories can be posted. The Axios payload was live for 3 hours. The TanStack wave ran for 6 minutes to produce 84 artifacts.
The corresponding defense is deliberate update latency. Organizations should not apply new package versions to production automatically or immediately. A 48- to 72-hour hold between publication and deployment, as a cooldown window, gives security researchers and registry-monitoring services time to detect and disclose compromised versions before they execute in your environment. That window would have protected most organizations from these kinds of attacks.
AI-operated attacks on developer infrastructure
Sysdig’s report described an intrusion observed on May 10. They assessed that it was driven by an LLM agent composing the attack in real time. The chain was an unauthenticated WebSocket RCE on an internet-facing marimo notebook (CVE-2026-39987, on CISA KEV), which harvested 2 cloud credentials, spread 12 GetSecretValue calls across 11 Cloudflare Workers IPs in 22 seconds to defeat source-based detection, pulled an SSH key from AWS Secrets Manager, and ran 8 parallel bastion SSH sessions that dumped an internal PostgreSQL database in under 2 minutes. The full chain occurred in under an hour.
The macOS relevance is contextual. The targeted environment was cloud infrastructure, but the tradecraft transfers directly to developer environments, where detection keying on a fixed command sequence breaks against an agent improvising. What holds up is behavioral: credentials being read, a database leaving, and access being escalated, regardless of the specific commands used to do it. GhostLoader is already harvesting AI-agent account credentials and planting MCP servers into coding-assistant configurations. The TanStack persistence mechanism used Claude Code session hooks. The attack surface has expanded to include the AI layer itself.
Final thoughts
The first half of 2026 showed that the assumptions defenders once relied upon—macOS as a secondary surface and technique overlap for attribution—no longer hold up. The old detection and classification methods call for urgent and drastic changes.
The risk for macOS users isn’t evenly distributed. Developers, cryptocurrency holders, and anyone with access to high-profile credentials are the priority targets. Why? Because compromising them reaps far greater results for attackers.
Based on these mid-year findings, here are some recommendations from Moonlock Lab that will help security teams and everyday Mac users defend themselves in this new cyber reality in 2026.
For security teams:
- Treat any Mac intrusion as a candidate for a Windows component and vice versa. Campaigns this half-year shared servers, domains, droppers, and operators across both platforms. Checking only one side of an incident can potentially miss the other.
- Don’t rely on technique overlap alone for attribution. Criminal groups are reconstructing and improving state-sponsored tradecraft fast enough that shared methods no longer point reliably to a shared origin.
- Extend the scope of detection beyond the endpoint for developer-focused threats. Stealers and supply-chain payloads are built to reach cloud credentials, package registries, and CI/CD pipelines. Local-machine telemetry alone won’t catch that.
- Shift detection logic from signatures to behavior: a quarantine flag being stripped, a persistent connection to an unfamiliar server, new LaunchAgent entries outside a known install event, unexpected outbound traffic from a build environment, etc.
- Expect ClickFix delivery mechanics to keep changing. Apple’s Terminal warning was bypassed within weeks via Script Editor, so build systems to monitor for the current and next adaptation.
For everyday Mac users:
- Never paste a command into Terminal, Script Editor, or any system tool just because a website, a video call, or a document told you to.
- Watch for AI-tool impersonations specifically. Fake Claude, ChatGPT, Sora, and Codex installers have become a leading disguise for ClickFix payloads. Download AI tools only from their official sites, not from search ads or shared links.
- Use ad blockers and regularly check your Mac for adware with a trusted antivirus app like Moonlock. Adware is the most common type of malware on Macs.
- Don’t treat “notarized by Apple” as proof of safety. Up to 20% of malware had Apple’s certificates this year.
- If you’re a developer, treat your Mac as an entry point to everything it’s connected to. Audit SSH keys, cloud credentials, and package-manager tokens periodically, since those are now clear targets for cybercriminals.
Sources
- Moonlock Lab. Fake VCs target crypto talent in a new ClickFix campaign. moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign
- Moonlock Lab. notnullOSX stealer. moonlock.com/notorious-hacker-returns-notnullosx-stealer
- Moonlock. GhostClaw / GhostLoader. moonlock.com/fake-ai-tool-ghostclaw
- Moonlock. Hackers using shared Claude chats to drop malware. moonlock.com/shared-claude-chats-drop-malware
- Moonlock. SHub Reaper. moonlock.com/mac-stealer-shub-reaper
- Mandiant / GTIG. UNC1069 targets cryptocurrency. cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering
- Microsoft Threat Intelligence. Infostealers without borders (Feb 2). microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/
- Microsoft Threat Intelligence. ClickFix fake macOS utilities lures (May 6). microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
- Microsoft Threat Intelligence. Axios npm (Apr 1). microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
- Jamf Threat Labs. ClickFix Script Editor / Atomic Stealer. jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/
- Jamf Security 360: 2026 report. jamf.com/resources/white-papers/security-360-annual-trends-report/
- JFrog Security. GhostClaw unmasked. research.jfrog.com/post/ghostclaw-unmasked/
- SentinelOne / Phil Stokes. SHub Reaper. sentinelone.com/blog/shub-reaper-macos-stealer/
- StepSecurity. Mini Shai-Hulud (TanStack). stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
- OpenAI. Response to TanStack npm supply chain attack. openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/
- Snyk. Mini Shai-Hulud (@antv). snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/
- Wiz. Miasma / @redhat-cloud-services. wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages
- Sysdig TRT. AI agent at the wheel. sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots
- Recorded Future / Insikt Group. ClickFix clusters (Mar 31). thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html
- Malwarebytes. Fake Claude search results. malwarebytes.com/blog/news/2026/05/fake-claude-search-results-lure-mac-users-into-clickfix-attack
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc.