Apple device protection company Mosyle has identified a new cross-platform malware program that remains undetected by all major antivirus tools. The virus spreads under the guise of job offers for developers and is capable of running on macOS, Windows, and Linux.
What Is Known
Scammers use malicious ads disguised as recruiter offers to infect developers’ computers. The virus is downloaded through a JavaScript file written in NodeJS, hidden behind complex obfuscation. It cannot be detected by signature-based protection systems.
According to security researchers, ModStealer is designed to steal sensitive data. Its code includes functionality to search and extract information from browser-based crypto wallets, credentials, configuration files, and certificates. Mosyle researchers discovered targeted support for 56 browser extensions, including Safari, with the ability to pull private keys and other critical data.
Device Control and Hidden Presence
The malware is capable of:
- taking screenshots,
- intercepting clipboard content,
- executing remote code.
The last function gives attackers nearly full control over an infected device.
On macOS, the virus integrates into the system through launchctl, Apple’s built-in tool, registering itself as a LaunchAgent. This allows it to start when the device is powered on and silently transmit data to a remote server. Mosyle suggests that the server is hosted in Finland, though the infrastructure is linked to Germany, likely to conceal the operators’ true location.
MaaS Model and Growing Threats
Mosyle believes ModStealer is distributed under the “Malware-as-a-Service” (MaaS) model. In this setup, developers sell ready-made malware packages to less technically skilled partners, who then deploy them as they wish.
This model is becoming increasingly popular among cybercriminals. According to Mosyle, earlier in 2025 the company Jamf recorded a 28% increase in infostealer malware, making them the most common type of malicious software for Mac this year.
NPM Supply Chain Attack
Earlier in September, the largest-ever supply chain hack occurred. As a result of the attack, hackers gained access to a developer’s account on the NPM platform and inserted malicious code into popular libraries chalk, strip-ansi, and color-convert. These libraries are downloaded billions of times per week.
The virus embedded a clipper that replaced the recipient address in cryptocurrency transactions. Despite minimal confirmed losses (less than $50), the incident received widespread attention due to the massive scale of infected code distribution.
Read Also:
- NFT Artist Loses $170,000 in Steam Trojan Scam
- Binance Warns of Fake SMS Sent in Its Name
- ZachXBT Criticizes Exchanges and Web3 Projects for Enabling Thefts
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.