Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fake Homebrew, LogMeIn, and TradingView macOS developer campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView sites, creating a broad infostealer risk for Apple users. The operation uses ClickFix lures and search promotion to push victims into running Terminal commands that install AMOS and Odyssey.

Related Happenings

MacOS living-off-the-land analysis exposing native-feature abuse

Technical Analysis
First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...

Open Happening

MacOS LOTL detection and hardening guidance against native-tool abuse

Defensive Guidance
First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...

Open Happening

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Open Happening

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
First: 08.04.2026 21:55 Last: 08.04.2026 21:55 Sources 1

About this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...

Open Happening

Infinity Stealer macOS infostealer activity

Malware Activity
First: 28.03.2026 16:35 Last: 28.03.2026 16:35 Sources 1

About this happening: **Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...

Open Happening

Timeline

  1. 18.10.2025 18:02 2 articles · 7mo ago

    Researchers disclose fake Homebrew, LogMeIn, and TradingView macOS developer campaign

    Initial Disclosure

    Hunt.io identified more than 85 domains impersonating Homebrew, LogMeIn, and TradingView to target macOS developers with ClickFix-style lures. The malicious sites present fake download portals and connection-check prompts that push victims to copy curl commands into Terminal, sometimes swapping the visible Cloudflare verification text for a base64-encoded installation command. The delivery chain fetches install.sh, drops AMOS (Atomic macOS Stealer) or Odyssey, removes quarantine flags to bypass Gatekeeper, and can exfiltrate browser, cryptocurrency, Keychain, and file data; some traffic to the lookalike domains was driven through Google Ads.

    Show sources
    Open in new tab