ClickFix Campaign Delivers MacSync Malware via Fake Claude AI Extensions Targeting Developers
What Happened — Researchers at 7AI uncovered a fraud‑as‑a‑service operation that publishes counterfeit Claude AI browser extensions and purchases Google ads to lure software engineers. When victims install the “ClickFix” extension, it drops the MacSync macOS‑only malware, which harvests credentials, SSH keys, and proprietary source code before exfiltrating to command‑and‑control servers.
Why It Matters for TPRM —
- Third‑party AI tooling can become a covert supply‑chain vector, exposing downstream vendors to credential theft.
- Mac‑focused malware shows attackers are expanding beyond Windows, threatening organizations with mixed‑OS workforces.
- The use of paid ad networks bypasses traditional email‑phishing controls, requiring broader monitoring of web‑based procurement processes.
Who Is Affected — Technology firms, SaaS providers, cloud‑native development teams, and any organization that permits developers to install browser extensions or AI‑assisted coding tools.
Recommended Actions —
- Block installation of unsigned browser extensions on corporate devices.
- Enforce strict allow‑list policies for AI‑related plugins and verify publisher signatures.
- Deploy endpoint detection for macOS payloads such as MacSync and monitor outbound traffic to known C2 domains.
- Review procurement logs for paid ad clicks that lead to software downloads.
Technical Notes — Attack vector: malicious browser extension delivered via Google Ads (phishing). No known CVE; malware targets macOS, exfiltrates SSH keys, API tokens, and source code repositories. Source: HackRead