The MacSync stealer campaign is an active infostealer operation targeting both macOS and Windows users across multiple sectors. Threat actors employ SEO poisoning to manipulate search engine results, directing victims to fraudulent GitHub repositories that impersonate trusted tools like PagerDuty. These repositories host malicious code and redirect users to GitHub Pages sites that serve deceptive commands. The infection process unfolds in three stages: a loader that initiates the attack, a dropper that installs components, and the final MacSync payload. MacSync is designed to harvest sensitive information aggressively, including credentials stored in browsers, cloud service tokens, and cryptocurrency wallets. The campaign has been ongoing since at least September 2025, with 39 malicious repositories identified and 24 still active as of January 2026. To evade detection, attackers use 'readme-only' repositories that appear benign and distribute identities across multiple accounts. The malware leverages AppleScript on macOS and other scripting techniques to execute payloads stealthily. Indicators of compromise include multiple suspicious domains and URLs used for hosting payloads and command and control infrastructure. The campaign does not exploit software vulnerabilities but relies heavily on social engineering and user interaction, specifically through search engine manipulation and execution of commands from fake repositories. While no CVSS score is assigned, the threat is rated medium severity due to its potential for widespread credential theft and the complexity of its infection chain.

European organizations face significant risks from this campaign due to the widespread use of macOS and Windows systems in business environments, especially in sectors reliant on cloud services and online tools like PagerDuty. Credential theft can lead to unauthorized access to corporate networks, cloud infrastructure, and financial assets, including cryptocurrency wallets. The multi-stage infection process increases the likelihood of successful compromise by evading traditional detection methods. SEO poisoning can affect any organization whose employees use search engines for software downloads or troubleshooting, increasing the attack surface. The theft of cloud service credentials can result in data breaches, service disruptions, and lateral movement within networks. Cryptocurrency wallet theft poses direct financial losses. The campaign's persistence and active repositories indicate ongoing risk, requiring continuous vigilance. Additionally, the use of fake GitHub repositories undermines trust in legitimate open-source platforms, potentially impacting developer workflows and software supply chains in Europe.

European organizations should implement advanced threat detection focusing on anomalous GitHub repository access and unusual command execution patterns, especially those involving AppleScript on macOS. Security teams should educate users about the risks of downloading software or executing commands from unverified sources, emphasizing caution with search engine results. Deploy endpoint detection and response (EDR) solutions capable of detecting multi-stage malware behaviors, including loaders and droppers. Enforce strict application whitelisting and restrict execution of scripts from untrusted locations. Monitor network traffic for connections to known malicious domains and URLs associated with this campaign, blocking them at the firewall or proxy level. Regularly audit and rotate credentials, especially for cloud services and cryptocurrency wallets, and implement multi-factor authentication (MFA) to reduce the impact of stolen credentials. Use DNS filtering to prevent access to malicious domains. Collaborate with threat intelligence providers to stay updated on new malicious repositories and indicators of compromise. Finally, consider integrating security awareness training focused on recognizing SEO poisoning and social engineering tactics.