-
Researchers have discovered a new macOS attack that starts off disguised as a real email and tries to fool users into running some shady scripts, without hacking any software security loopholes.
-
The malware seeks to bypass macOS privacy protection by faking system approval and secretly has access to your camera, microphone and files without you being aware of it.
-
Recent macOS updates have built in features to prevent most of these methods from being successful, so regular system updates can actually prevent the attack.
Researchers have revealed that a new phishing scheme targeting Apple’s macOS is making rounds that tricks users into handing over their passwords. It then tries to sneak permanent access to cameras and files.
This malware uses trusted Apple tools against the system. It highlights a major shift in cyber threats. Attackers now prefer to manipulate people rather than hack software, a trend supercharged by new tools like AI voice cloning kits that are commoditizing advanced social engineering. Keeping your system updated is your best defense.
The Attack Starts with a Simple Email Trick
The whole scheme begins with a phishing email. It tricks you into downloading a file named something like “Confirmation_Token_Vesting.docx.scpt”. This file looks like a harmless Microsoft Word document. But the “.scpt” extension means it’s actually an AppleScript.
When opened, a prompt asks you to run the script due to fake “compatibility issues”. If you click okay, the script silently runs. It contacts a hacker-controlled server and sends details about your Mac. The server sends back a second, more dangerous script.
This is where it does the real deception; it loads a fake password dialog box that looks very real, just like the real macOS system prompt. It asks for your username and password, claiming it needs them to “repair” some problem. A fake progress bar even appears while it checks your credentials.
If you type your password, the script validates it on the spot. If it’s wrong, the box shakes like a real login error. Once you provide the correct password, it’s encoded and sent straight to the hackers’ server. They now have the keys to your Mac.
Bypasses Privacy Guards
Once this malware grabs your password, it goes straight for TCC Apple’s main privacy gatekeeper on your Mac and tries to disable it. TTC is the system behind those pop-ups asking if an app can use your camera, microphone, or files.
The hackers’ script tries to forge approvals inside the TCC database. It doesn’t ask for permission for itself. Instead, it tries to grant full access to trusted Apple applications like Terminal or Finder. The malware would then run its code through those trusted apps, inheriting their permissions.
This would let it access your Screen, Camera, and Full Disk without a single alert. You’d never see a permission pop-up. Thankfully, Apple has strengthened TCC in recent years. On newer macOS versions, this particular database trick will likely fail. But it shows the lengths hackers will go to.
Building a Persistent Backdoor on Your Mac
The attack doesn’t stop there. After the TCC attempt, it works to stay on your Mac forever. It downloads and installs a modular loader built with Node.js. This creates a hidden folder on your computer named ~/.nodes.
This loader acts as a spy and a doorway. First, it profiles your entire system. It’ll then begin to gather information about your device — the operating system version, the spec of the CPU, the RAM, hard drive configuration, and all the apps that are running on the device. After it has collected all this info, it sends it to the hacker’s command server.
In the next stage, the malware sets up persistence by creating a launchAgent, a feature in macOS for automatically starting programs. This will ensure that each time you boot your computer, the malware will start up too. It hides itself within the User Library folder, so it’s hard to detect.
The final payload is a flexible command loop. The malware checks in with the hacker’s server regularly for updates on how the malware should act. As such, hackers can easily modify the behavior of the malware at any time they want. They are also able to deliver spyware, ransomware, or any other kind of tool they want to your machine directly.
Being Vigilant is Your Best Defense
This campaign really drives the point home: even the best security can crumble if just one person clicks “OK” without thinking. Hackers are very much aware that these tricks work; that’s why they keep investing in social engineering attacks.
Here’s the thing: you’ve got more control than you realize. Honestly, staying safe online is all about being careful if an email smells fishy, don’t touch it. And stop typing your password into sketchy pop-ups, especially when they appear out of nowhere after you open some file. And don’t slack on macOS updates, skipping them is basically inviting trouble. Apple’s latest security features are built to block these kinds of attacks.
The real defense here isn’t some fancy tool—it’s you, staying alert. This attack doesn’t sneak in through software bugs; it tries to fool you instead. Take a moment before clicking anything because that 30-second pause can save you from letting dangerous malware into your computer.
The consequences of a breach extend far beyond a single device, potentially enabling large-scale theft of sensitive data that devastates organizations and innocent individuals alike.
