2025, the year of the Infostealer 

A 2025 incident involved a macOS infostealer delivered via a fake Homebrew “one-liner” that retrieved an AppleScript payload from a malicious GitHub/website, phished the user’s password, performed anti-sandbox checks, harvested credentials and files, compressed them into /tmp/out.zip, and attempted exfiltration via HTTP POST to a C2; network egress controls blocked the uploads, and activity was contained to a single host. The report outlines the infection chain, persistence through a LaunchDaemon, cleanup behaviors, IOCs (files, domains, IPs, URL), and MITRE TTPs, and advises defenders to monitor terminal one-liners, credential prompts followed by sudo use, staging-to-archive patterns, new LaunchDaemons, and post-activity cleanup, reinforcing that simple user-driven techniques remain highly effective.