Phishing Attack Targets macOS with Malicious Emails

Security firms SlowMist and Chainbase have identified a phishing attack targeting macOS users through emails disguised as “audit/compliance confirmation” or “Token unlocking confirmation.” The attackers send emails with malicious attachments featuring double extensions, such as .docx.scpt, tricking users into executing scripts. This leads to the theft of system passwords, bypassing TCC permissions, and deploying a Node.js backdoor. Security teams advise users who have opened such attachments or entered passwords to disconnect from the internet immediately and inspect their systems for breaches.