I might or might not have caught the AMOS malware

[it wasnt me]

I have seen versions of the Trezor Suite and Ledger Live in my /tmp and (subsequently) installed in /Applications. That made me wonder why, and I found this article:

Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer

Malicious OpenClaw skills trick AI agents and users into installing a new AMOS variant that steals extensive data at scale.

www.trendmicro.com

(No, I do not use AI stuff, but I have an idea where I might have got infected.)

I have not started either of those applications, and Malwarebytes did not find any remains after I had removed those two applications and a few other files in /tmp. There's nothing obvious in ps aux and/or the Login Items. Am I safe or am I ****ed?

 

[bogdanw]

Unfortunately, infostealers usually delete themselves and the data they collected. If you have passwords saved in browsers or Keychain, change them.

 

[it wasnt me]

I usually use a different password manager for most of my accounts. Glad to know that this might have saved me quite some trouble. Thank you.

 

[losthismarbles]

Help folks out and say how you think you might have got infected, lol

"i think i know how.."
Well, good for you! 😁

I hope you'll be O.K., i hate this ****. Some folks should sure learn what it's like to get a real job instead of doing stuff like that. The hard way if need be.

 

[it wasnt me]

Help folks out and say how you think you might have got infected, lol

Installed a handy tool from GitHub that was supposed to save me five minutes of work. My bad.

At least I think that this is how it happened.

I hope you'll be O.K.

Same, honestly. I just enabled two more 2FA log-ins, changed two (other) passwords and hope for the best.

 

[Apple_Robert]

For those looking on, stay away from Github. It is too easy for bad actors to infect files.

 

[bogdanw]

For those looking on, stay away from Github. It is too easy for bad actors to infect files.

Apple is on GitHub https://github.com/APPLE 🙂
Infecting legitimate repositories is possible, but most malware is spread through fake GitHub pages.
Examples
https://forums.macrumors.com/threads/tinker-tool-malware-problem.2463235/post-34059326
https://forums.macrumors.com/threads/big-mac-virus-on-youtube-be-aware.2474389/post-34461986

 

[it wasnt me]

Apple is on GitHub https://github.com/APPLE 🙂

I think it is a good idea to advertise alternatives as much as possible. Everyone wants to be on GitHub because everyone wants to be on GitHub, and that's dangerous in itself.

 

[maflynn]

If you have passwords saved in browsers or Keychain,

Glad I'm using a password manager.

 

[bogdanw]

Glad I'm using a password manager.

"Harvesting passwords from BitWarden and KeePassXC password managers"
https://unit42.paloaltonetworks.com/macos-stealers-growing/

 

[maflynn]

"Harvesting passwords from BitWarden and KeePassXC password managers"
https://unit42.paloaltonetworks.com/macos-stealers-growing/

Fortune that I don't use either one of those