Bybit discloses macOS malware attack activities targeting the search for Claude Code

Bybit's Security Operations Center has discovered a multi-stage malware attack targeting macOS users of the search AI development tool Claude Code.

Attackers used search engine optimization poisoning to push malicious domains to the top of Google search results, luring users into a counterfeit installation page, thereby stealing browser credentials, macOS keychain, Telegram sessions, VPN configurations, and cryptocurrency wallet information. Bybit stated that the malware can also establish persistent access through backdoor programs and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and relevant analysis, mitigation, and detection measures were completed on the same day.