New MacSync Stealer Evades macOS Gatekeeper Protections

A newly identified strain of macOS malware known as MacSync stealer has demonstrated the ability to bypass Apple’s Gatekeeper security protections, raising fresh concerns about the growing sophistication of threats targeting Mac users. Security researchers report that the malware can execute on macOS systems without triggering standard Gatekeeper warnings, allowing attackers to steal sensitive user data while remaining largely invisible during installation.

The MacSync stealer malware uses techniques that exploit how macOS verifies downloaded applications, enabling it to evade the operating system’s built in safeguards designed to block untrusted software. Gatekeeper is a core macOS security feature that checks whether applications are signed by an identified developer and notarized by Apple. In this case, the malware manages to sidestep those checks, exposing users to credential theft and system compromise without the usual red flags.

As macOS adoption continues to rise across both consumer and enterprise environments, making Apple devices increasingly attractive targets for cybercriminals should not be this easy.

Attackers are investing more resources into macOS specific malware rather than relying solely on Windows focused campaigns. Secondary terms such as macOS malware, Gatekeeper bypass, Apple security, credential stealing malware, and macOS cyber threats naturally describe the scope and impact of the issue.

Researchers say MacSync stealer actively harvests browser data, authentication credentials, and other sensitive information that attackers can monetize or reuse in follow-on attacks.

“While MacSync Stealer itself is not entirely new, this case highlights how its authors continue to evolve their delivery methods,” Researchers at Jamf commented.

“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications.”

By avoiding Gatekeeper warnings, the malware makes users more likely to install it unknowingly, especially when attackers disguise it as legitimate software or bundle it with seemingly harmless applications. Although researchers have identified the technical mechanism behind the bypass, Apple has not yet publicly outlined mitigation steps specific to this strain.

The threat has implications beyond individual users. Businesses that rely on macOS for development, creative work, or executive systems face increased risk as a result.

Apple has long marketed macOS as a secure alternative to other desktop platforms. While that reputation remains strong, incidents like this underline the reality that no operating system is immune. It is partially to blame on the increase of macOS-specific techniques hackers are now deploying. In any case, security vendors and Apple itself face pressure to respond quickly and transparently.