Tech impersonators: ClickFix and MacOS infostealers

Datadog Security Research identifies an ongoing campaign using impersonating GitHub repositories and ClickFix pages to trick users into running paste-to-shell commands that deploy macOS infostealers (MacSync and the more advanced SHub v2.0). SHub adds credential validation, expanded wallet and enterprise data collection, persistence as a fake GoogleUpdate LaunchAgent, and periodic C2 heartbeat/remote command execution. The report includes detailed TTPs, sample staging scripts, C2 domains and endpoints, GitHub lures, temporary file locations, actor accounts, and mitigation guidance (source verification, repository validation, command scrutiny, user awareness).