GoPlus: The malware Infiniti Stealer attacks cryptocurrency wallets targeting Mac users

According to GoPlus Security, a piece of malware named Infiniti Stealer is targeting Mac users' cryptocurrency wallets and sensitive credentials through a "ClickFix" social engineering attack method.

The attackers forge a highly realistic Cloudflare CAPTCHA page to lure users into opening the terminal and manually pasting malicious commands. After executing the command, the script removes the macOS quarantine attribute and silently writes subsequent payloads to the /tmp directory. The final payload is a native macOS binary compiled with Nuitka, significantly increasing the difficulty of detection by security tools. Once deployed, Infiniti Stealer can steal Chromium / Firefox browser credentials, macOS Keychain, cryptocurrency wallets, and developer key files (such as .env files), and it has sandbox detection and delayed execution capabilities to evade tracking.