Home Blog Something Phishy in the /tmp Folder Published: March 18, 2026 Something Phishy in the /tmp Folder By: James O’Leary Think your Macs are immune? Think again. In a recent attack observed by the Huntress AI-Centric SOC, one employee fell for what looked like an official “macOS Protection Service” prompt. What ensued was an infostealer attack that could’ve led to significant damage to their business if they didn’t have the right security tools in place. By entering their password into a malicious “macOS Protection Service” pop-up, the user unknowingly launched the MacSync infostealer. Within moments, it began scraping credentials, browser cookies, and even crypto wallets—quietly stuffing everything into a local folder aptly named (but incorrectly spelled) /tmp/salmonela/ . The attacker might’ve failed their spelling test, but they didn’t fail to scrape sensitive data. Fortunately, Huntress spotted the mess and shut it down before anything could be served to the attacker. Inside the attack: How MacSync tried to steal it all This incident centered on MacSync , a macOS infostealer designed to quietly grab as much valuable data as possible from a single machine. Once the user entered their password into the fake “ macOS Protection Service ” dialog, MacSync went to work: Targeting high‑value data Chrome cookies and Safari data Apple Keychain credentials 200+ crypto wallets Scraping far beyond just passwords From browser cookies and saved logins, to notes, documents, and other sensitive data stored on disk All of this loot was staged locally under /tmp/salmonela/ . Once the folder was full, MacSync: Zipped the contents of salmonela/ Used curl to POST the archive to a command‑and‑control (C2) server at a sketchy domain Tried to cover its tracks by deleting the archive after exfiltration From the attacker’s perspective, this is the ideal play: a quiet, one‑time harvest of everything from cloud sessions to wallet keys, all packaged neatly and shipped off‑host. The social engineering hook: Fake macOS protection The infostealer relied on one critical user action: trusting a fake system prompt. The dialog presented itself as “macOS Protection Service” and used awkward, off‑brand phrasing like: “In order to process action required. Input device password to authorize your access.” That password request wasn’t about “protection” at all. It was there to: Unlock Apple Keychain , where sensitive credentials are stored Grant the malware the access it needed to scrape and exfiltrate data For busy employees, this kind of prompt can feel routine. That’s what the attacker is counting on. The difference between legitimate system prompts and fake ones is a critical user‑education gap , especially on macOS, where many still assume they’re safer by default. How Huntress stopped the “salmonela” stealer While MacSync was trying to quietly plate up stolen data, Huntress Managed EDR and our 24/7 AI-Centric SOC were already on the case. Here’s how the response unfolded: Suspicious process flagged on the Mac endpoint Huntress detected the infostealer’s activity and its use of LOOBins (“Living off the orchard binaries,” like curl ) to prepare for data exfiltration. SOC analysts verified malicious behavior With AI allowing for quick triage and analysis, human analysts reviewed the activity, confirmed it was malicious, and identified the infostealer’s behavior pattern. The host was isolated to stop the attack The endpoint was isolated from the network, cutting off outbound communication so the the attacker could upload the stolen data. Partner accepted remediations An incident doesn't end with containment. The Huntress SOC let the customer know what went down in the incident, along with guidance for full remediation to completely evict the adversary. The result: MacSync never got to serve the stolen data to the attacker. The threat was contained before data could be exfiltrated, and the endpoint was returned to a safe state without a full rebuild. And the customer avoided a nasty data breach (and possibly more) if their credentials were abused for more malicious activity. What this incident tells us about modern Mac threats There are a few big takeaways from this incident: macOS isn’t off the menu for attackers Threat actors are increasingly targeting Apple users who assume they’re safe from malware. If a user can be tricked into running code and entering their password, the platform alone won’t save you. Fake “security” prompts are powerful lures That “macOS Protection Service” dialog was not from Apple. Users need to be trained to recognize when a prompt is out of character, oddly worded, or out of context. Infostealers know exactly what to look for From 200+ crypto wallet extensions to mainstream browsers and Keychain, this stealer had a clear shopping list of digital assets and credentials. Everything from cookies to notes is in play Safari cookies, saved logins, personal notes, and documents were stolen and packaged for exfiltration. Infostealers don’t just go after “passwords”—they go after anything that can be reused later. Network activity still gives them away Those POST requests to shady domains are a dead giveaway that data is being set up for exfiltration. With the right visibility and a 24/7 AI-Centric SOC keeping watch, you have a chance to cut the connection before the damage is done. How to protect your business from infostealers like MacSync Incidents like this don’t just threaten one device. They put cloud accounts, financial assets like cryptocurrency, and even entire identities at risk. A few practical defenses go a long way: Educate your users on social engineering and fake prompts Teach employees to slow down when asked for their device password, especially from anything that doesn’t clearly come from IT or the operating system. Limit local admin and sensitive access where you can Reducing what a single endpoint can reach or unlock helps contain the blast radius if a stealer lands. Deploy Managed EDR on macOS Macs need the same level of visibility, detection, and response. Huntress Managed EDR for macOS with a 24/7 AI-Centric SOC means you don’t have to watch every alert yourself to catch a one‑off infostealer session. Rotate credentials and kill sessions after any infostealer event If an infostealer did run, treat cookies, Keychain entries, and passwords as compromised: invalidate sessions, rotate passwords, and assume staged data might be in someone else’s hands. MacSync and its “salmonela” folder are a reminder that modern attackers don’t always smash and grab with ransomware. Sometimes, they sit quietly, gathering information so they can walk away with the keys to your digital kingdom. With the right combination of user education, least‑privilege access, and managed detection and response, you can catch these incidents early. And keep your data off the attacker’s menu. See how the Huntress Agentic Security Platform can protect you from Infostealer attacks. Book a demo today. Categories Cybersecurity Education Summarize this post ChatGPT Claude Perplexity Google AI See Huntress in action Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC). Book a Demo Share You Might Also Like AMOS Stealer Exploits AI Trust: Malware Delivered Through ChatGPT and Grok Attackers are exploiting user trust in AI and aggressive SEO to deliver an evolved Atomic macOS Stealer. Learn why this social engineering tradecraft bypasses traditional network controls and the future of macOS infostealer defense. Learn More The VPN Mistake That Almost Cost a Company Everything Get an insider look at how the Huntress SOC stopped an unsecured VPN based ransomware attack. Learn why your business needs more than just software to stay secure. Learn More Boring Isn’t Harmless: The Risks Behind Common Cyberattack Tradecraft Don’t underestimate basic attacker tradecraft tactics. Learn how common cybersecurity tradecraft succeeds and get practical tips from the Huntress SOC to shut it down. Learn More Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report. Learn More The ClickFix Attack That Wasn’t: From a Fake AnyDesk Installer to MetaStealer Learn how a fake AnyDesk installer led to a unique MetaStealer attack, highlighting how threat actors evolve ClickFix techniques beyond the classic playbook to steal credentials and files. Learn More A Series of Unfortunate (RMM) Events Recently, the Huntress SOC has observed threat actors increasingly use PDQ and GoTo Resolve to deploy further remote monitoring and management (RMM) tools in attacks. Learn More The Battle for macOS Management: MDM vs. RMM Explore the two primary methods for managing macOS devices, MDM (Mobile Device Management) and RMM (Remote Monitoring and Management). Learn More How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations An attacker installed Huntress onto their operating machine, giving us a detailed look at how they’re using AI to build workflows, searching for tools like Evilginx, and researching targets like software development companies. Learn More Sign Up for Huntress Updates Get insider access to Huntress tradecraft, killer events, and the freshest blog updates. Work Email* Privacy • Terms Submit By submitting this form, you accept our Terms of Service & Privacy Policy Thank you! Your submission has been received! Oops! Something went wrong while submitting the form.