Club Benefits
Mac users have felt safe behind Gatekeeper — the macOS digital security guard that only lets verified, trusted apps onto your machine. But now, that gate has just developed a massive crack, as hackers have found a way to get around it undetected.
On April 22, the research team at Mosyle Security discovered two forms of malware named “Phoenix Worm” and “ShadeStager.” With them, hackers are now successfully stealing developer keys, which act like a digital passport, and by hijacking them, cybercriminals can disguise malware as Apple-approved apps.
To your MacBook, these viruses don’t look like a threat; they look like trusted guests. And with over 100 million Mac users worldwide, this blind spot means that even the most cautious users could be downloading a disaster in disguise.
Article continues belowHow it works
The attack doesn’t start with you, but with the people who make your favorite apps. Hackers target the developers with a tag-team effort between these two new threats. First, the Phoenix Worm is snuck onto a developers system through a range of social engineering attacks — think recruiters with fake job offers or urgent coding tasks from clients.
Once it's there, Phoenix Worm is the inside man, which gives your Mac a secret ID number, waits for instructions, and even keeps watch for security software to hide further away from it.
When the coast is clear, the Phoenix Worm calls in the heavy hitter: ShadeStager. This specialist comes in and takes over developer keys, cloud credentials and secret dev tools. And while this digital heist happens behind the scenes, the fallout lands squarely on your desktop.
With these master keys, hackers can forge Apple’s verified seal of approval on any malicious file they want. By compromising the tools used to build apps, hackers are essentially poisoning the well in the Mac’s walled garden — turning a trusted developer’s reputation into a backdoor onto your private machine.
How to avoid this attack
First off, given Apple’s real focus on security, I would not be surprised if a hotfix update is deployed in the next few days to strengthen its verification process. But ultimately, while these two exploits in tandem are sophisticated, they’re not magic — they still need people to let them in.
So from a developer perspective, it’s going to be all about being extra careful of the emails being received. In fact, Apple added a warning into macOS 26.4 when you’re about to paste potentially malicious code into the Terminal app. Stop immediately if you see it.
As for most of you reading this, if you’re downloading apps outside the Mac App store, it’s about exercising some extra caution and asking yourself a couple of questions:
- Do I really know this company?
- If it’s something I’ve never heard of before, is it worth the risk?
And of course, while the Terminal warning above is more to developers, it’s good general advice for you too. If ever you see a website asking you to open the Terminal at all, that’s an automatic “close tab” moment.
Like any computer, your Mac is only as safe as the things you allow it to do, and by staying vigilant and skeptical, you can keep yourself invisible to even the most sophisticated attacks like this one.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds. Subscribe to Tom's Guide on YouTube and follow us on TikTok.
More from Tom's Guide
- Over 1 billion Windows users at risk after disgruntled security researcher leaks Defender zero-days
- Scammers are abusing Apple account change notifications in new phishing attack — how to stay safe
- 108 malicious Chrome extensions found stealing data and injecting ads into every page you visit — delete them right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
