MICROSOFT warns that info-stealing attacks are expanding from Windows to macOS, using cross‑platform languages like Python and abusing trusted platforms, according to Microsoft. Since late 2025, there has been a surge in macOS infostealer campaigns that rely on social engineering, fake fixes, and malicious DMG files, with macOS‑specific stealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS) targeting credentials, crypto wallets, and browser data while evading defenses.
Phishing emails and fake ads also spread Python‑based stealers like PXA Stealer, which harvests logins, financial data, and browser sessions, often leveraging Telegram and trusted tools to hide activity. Attackers are turning WhatsApp and PDF tools into delivery channels, and in November 2025 Microsoft observed a WhatsApp abuse campaign that dispatched Eternidade Stealer via a multi‑stage worm‑like chain.
Defences urged include user training to spot fake ads and unsigned DMGs, monitoring for risky Terminal activity, and employing layered protection such as EDR in block mode, cloud‑delivered protection, and attack surface reduction rules to block obfuscated scripts and untrusted executables. 4 February 2026.