Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

**Executive Summary:** Routine threat hunting uncovered a ClickFix-style phishing lure leading to MacSync, a macOS infostealer delivered by coercing users to paste a Terminal command; MacSync uses a daemonized Zsh second-stage to fetch and execute an AppleScript that phishes the macOS password, harvests browser credentials, wallet data, Keychain files, and other high-value artifacts, and can persist by trojanizing Electron-based hardware wallet companion apps to present convincing recovery/PIN phishing UIs. The report includes technical reversal of the infection chain, IoCs (jmpbowl.* C2 domains, macclouddrive and related lure sites, /tmp/osalogging.zip, file hashes), and YARA rules for detection.