Something Phishy in the /tmp Folder

A macOS infostealer named **MacSync** used a fake “macOS Protection Service” prompt to trick a user into unlocking the Keychain, harvested credentials, browser cookies, and crypto wallets into /tmp/salmonela, zipped the stash and attempted to POST it to a C2 server, but Huntress Managed EDR and a 24/7 SOC detected and isolated the host before data was successfully exfiltrated.