{"id":56951,"date":"2026-02-04T07:01:56","date_gmt":"2026-02-03T21:01:56","guid":{"rendered":"https:\/\/www.cloudproinc.com.au\/?p=56951"},"modified":"2026-02-04T07:12:41","modified_gmt":"2026-02-03T21:12:41","slug":"how-python-info-stealers-are-targeting-macos-endpoints","status":"publish","type":"post","link":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/","title":{"rendered":"How Python Info-Stealers Are Targeting macOS Endpoints"},"content":{"rendered":"\n<p>In this blog post <strong>How Python Info-Stealers Are Targeting macOS Endpoints in 2026<\/strong> we will walk through what\u2019s driving the surge, how these stealers operate on Macs, and the practical controls that reduce risk fast.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>High level: info-stealers are \u201csmash-and-grab\u201d malware. They don\u2019t need to encrypt your files or maintain long-term access to cause damage. They aim to quickly collect credentials, browser session tokens, cookies, and wallet data, then exfiltrate it. The twist is that macOS endpoints are now a consistent target, and Python has become a popular way for attackers to build and ship flexible stealers that can evolve quickly. Microsoft reported seeing macOS-focused stealer campaigns increase since late 2025, using social engineering (including ClickFix-style prompts), malicious DMGs, and native utilities like AppleScript to harvest secrets from browsers, keychains, and developer environments.<\/p>\n\n\n\n<p>If you manage a fleet of Macs, the key takeaway is simple: these attacks often look like normal user activity (installing software, pasting commands, granting prompts). You can\u2019t rely on \u201cMacs don\u2019t get malware.\u201d You need layered controls that catch suspicious execution paths, unusual credential prompts, and exfiltration patterns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-python-shows-up-in-modern-macos-info-stealers\">Why Python shows up in modern macOS info-stealers<\/h2>\n\n\n\n<p>Python itself isn\u2019t the \u201cvulnerability.\u201d It\u2019s the delivery and execution benefits attackers get:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fast development and easy reuse<\/strong>: Python lets threat actors iterate quickly, borrow modules, and change behavior to dodge signatures.<\/li>\n\n\n\n<li><strong>Cross-platform tooling<\/strong>: the same stealer codebase (or large chunks of it) can target Windows, macOS, and Linux with environment-specific branches.<\/li>\n\n\n\n<li><strong>Packaging hides intent<\/strong>: attackers often bundle Python payloads into a standalone executable so the victim doesn\u2019t need Python installed.<\/li>\n<\/ul>\n\n\n\n<p>A common packaging approach is <strong>PyInstaller<\/strong>, which wraps Python code and dependencies into a self-contained executable. Researchers have documented macOS infostealer samples that reveal PyInstaller fingerprints at runtime (for example, extraction to a temporary directory and the presence of common PyInstaller indicators). This matters because it changes what \u201cnormal\u201d looks like: a single Mach-O binary can unpack an entire Python runtime and a stealer in-memory or into temp folders, run quickly, then clean up traces.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-core-technology-behind-macos-targeting\">The core technology behind macOS targeting<\/h2>\n\n\n\n<p>Most macOS stealer campaigns succeed by combining three things:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Social engineering<\/strong> to get initial execution (fake installers, fake browser checks, \u201cfix your computer\u201d prompts).<\/li>\n\n\n\n<li><strong>Native macOS utilities<\/strong> to interact with the system in a trusted-looking way (especially AppleScript via <code>osascript<\/code>).<\/li>\n\n\n\n<li><strong>Credential and session harvesting<\/strong> from browsers, Keychain, and developer tooling, then quick exfiltration.<\/li>\n<\/ul>\n\n\n\n<p>Microsoft\u2019s February 2, 2026 research highlighted macOS stealer campaigns using ClickFix-style prompts and malicious DMG installers to deploy Mac-focused stealers, with heavy use of \u201cliving off the land\u201d behaviors and AppleScript automation to access sensitive data. The same research also noted Python-based stealers delivered via phishing and exfiltration via services like Telegram in some campaigns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-the-attack-chain-typically-works-on-a-mac\">How the attack chain typically works on a Mac<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-initial-access-via-trust-abuse-not-exploits\">1) Initial access via trust abuse, not exploits<\/h3>\n\n\n\n<p>In many real-world incidents, users are tricked into doing one of these:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Installing a trojan DMG<\/strong> that looks like a legitimate app (productivity tools, \u201cAI\u201d tools, browsers, crypto utilities).<\/li>\n\n\n\n<li><strong>Running a copy-paste \u201cfix\u201d<\/strong> in Terminal. ClickFix-style lures can hide extra commands by forcing users to click a \u201ccopy\u201d button, so they don\u2019t see the full payload. Pen Test Partners described a 2025 pattern where attackers used typosquatted lookalike sites and appended Base64-encoded commands after a legitimate-looking command.<\/li>\n\n\n\n<li><strong>Following a fake verification step<\/strong> in the browser that instructs them to paste commands or download \u201crequired\u201d tools.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-execution-using-familiar-system-tools\">2) Execution using familiar system tools<\/h3>\n\n\n\n<p>Once launched, macOS stealers often try to blend in. A common pattern is invoking AppleScript through:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/bin\/osascript<\/code><\/pre>\n\n\n\n<p>Why? Because AppleScript dialogs can look like normal system prompts. Attackers use them to request passwords or permissions in a way that feels routine. Malwarebytes notes that Atomic Stealer (AMOS) uses macOS shell scripts launched with <code>osascript<\/code>, which aligns with this broader trend.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-prompting-for-secrets-and-bypassing-user-caution\">3) Prompting for secrets and bypassing user caution<\/h3>\n\n\n\n<p>Info-stealers don\u2019t always need a kernel exploit. They often rely on the fact that users will enter credentials when prompted, especially if:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the prompt appears immediately after they tried to install or open something,<\/li>\n\n\n\n<li>the dialog resembles a real macOS authentication request,<\/li>\n\n\n\n<li>the user is under time pressure (\u201cyour browser is corrupted,\u201d \u201cupdate required,\u201d \u201cverify to continue\u201d).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-collecting-the-high-value-data-sets\">4) Collecting the \u201chigh value\u201d data sets<\/h3>\n\n\n\n<p>Stealers focus on data that leads to instant account takeover:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Browser passwords and autofill<\/strong><\/li>\n\n\n\n<li><strong>Session cookies and tokens<\/strong> (often more valuable than passwords because they can bypass MFA)<\/li>\n\n\n\n<li><strong>Keychain items<\/strong> (where available via user interaction, permissions, or scripting)<\/li>\n\n\n\n<li><strong>Crypto wallet files and browser extensions<\/strong><\/li>\n\n\n\n<li><strong>Developer secrets<\/strong> like cloud CLI credentials, SSH keys, source-control tokens, and environment files<\/li>\n<\/ul>\n\n\n\n<p>Microsoft specifically called out macOS stealer activity targeting browser and keychain secrets plus developer environments, reflecting how attackers follow the money and the access pathways.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-exfiltration-and-cleanup\">5) Exfiltration and cleanup<\/h3>\n\n\n\n<p>After harvesting, many stealers exfiltrate quickly and try to remove artifacts. Exfiltration may go to attacker infrastructure or via platforms that blend into normal traffic. Microsoft documented Python-based stealer campaigns using Telegram for exfiltration in 2025 investigations, a good example of \u201ctrusted service\u201d abuse.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-practical-detection-ideas-for-it-and-security-teams\">Practical detection ideas for IT and security teams<\/h2>\n\n\n\n<p>Focus on behaviors that map to how stealers actually operate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Unexpected Terminal-driven installs<\/strong>: shell scripts initiated from browsers, especially right after visiting ad-driven or lookalike domains.<\/li>\n\n\n\n<li><strong>AppleScript credential prompts<\/strong>: frequent or out-of-context authentication dialogs, or <code>osascript<\/code> execution chains that originate from a newly installed app.<\/li>\n\n\n\n<li><strong>Access to browser data paths<\/strong>: sudden read bursts across Chrome\/Edge\/Brave\/Firefox profiles followed by compression (zip) and outbound network traffic.<\/li>\n\n\n\n<li><strong>Suspicious temporary extraction<\/strong>: large temp folders created and removed quickly, especially for unsigned or ad-hoc signed binaries.<\/li>\n\n\n\n<li><strong>Outbound exfil patterns<\/strong>: small-to-medium POSTs to unfamiliar domains, or traffic to messaging\/CDN platforms not expected for that endpoint role.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hardening-steps-that-reduce-risk-quickly\">Hardening steps that reduce risk quickly<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-tighten-software-installation-and-execution-paths\">1) Tighten software installation and execution paths<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use MDM to enforce installing from trusted sources and known developers where possible.<\/li>\n\n\n\n<li>Block or heavily monitor unsigned apps and newly downloaded executables launching from user-writable locations.<\/li>\n\n\n\n<li>Restrict who can install browser extensions, especially wallet-related extensions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-reduce-browser-as-a-password-manager-exposure\">2) Reduce \u201cbrowser as a password manager\u201d exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encourage a managed password manager with strong policies.<\/li>\n\n\n\n<li>Where feasible, disable or limit browser password storage on corporate devices.<\/li>\n\n\n\n<li>Use phishing-resistant MFA (FIDO2\/WebAuthn) for critical systems to reduce the blast radius of password theft.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-protect-developer-environments-like-production\">3) Protect developer environments like production<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rotate and scope tokens (Git, CI\/CD, cloud). Prefer short-lived credentials.<\/li>\n\n\n\n<li>Store secrets in a vault, not in dotfiles or plaintext env files on disk.<\/li>\n\n\n\n<li>Monitor for anomalous use of cloud CLIs and source-control tokens from new IPs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-add-telemetry-that-answers-what-ran-from-where-and-what-did-it-touch\">4) Add telemetry that answers \u201cwhat ran, from where, and what did it touch?\u201d<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable endpoint detection that captures process trees and script execution.<\/li>\n\n\n\n<li>Alert on <code>osascript<\/code> spawned by untrusted apps, and on unusual read access to browser and wallet directories.<\/li>\n\n\n\n<li>Record DNS and egress traffic for Macs, not just servers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-make-user-prompts-harder-to-weaponise\">5) Make user prompts harder to weaponise<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Train users on the specific trick: \u201ccopy this command into Terminal to fix a problem\u201d is a major red flag.<\/li>\n\n\n\n<li>Teach a simple rule: if a webpage tells you to paste commands, stop and escalate.<\/li>\n\n\n\n<li>Run periodic \u201cprompt literacy\u201d exercises using screenshots of fake system dialogs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-to-do-if-you-suspect-a-macos-info-stealer-incident\">What to do if you suspect a macOS info-stealer incident<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Isolate the endpoint<\/strong> from the network (don\u2019t just close the window).<\/li>\n\n\n\n<li><strong>Preserve evidence<\/strong>: collect process trees, recent downloads, mounted volumes, persistence items, and network logs.<\/li>\n\n\n\n<li><strong>Assume credential compromise<\/strong>: reset passwords and revoke sessions\/tokens. Prioritise email, SSO, VPN, source control, cloud consoles, and password managers.<\/li>\n\n\n\n<li><strong>Rotate developer and cloud secrets<\/strong> (API keys, access keys, CI tokens) and review logs for anomalous access.<\/li>\n\n\n\n<li><strong>Hunt laterally<\/strong>: look for the same lure domain, installer hash, or execution pattern across other Macs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-closing-thoughts\">Closing thoughts<\/h2>\n\n\n\n<p>Python-based info-stealers targeting macOS are a clear signal that endpoint protection has to follow attacker behavior, not old assumptions. The good news is that these attacks are often detectable because they\u2019re operationally noisy: social engineering, scripted prompts, rapid data access, then exfiltration. If you tighten installation paths, reduce stored secrets, and monitor for <code>osascript<\/code> and suspicious packaged executables, you can materially cut both likelihood and impact.<\/p>\n\n\n\n<p>If you\u2019d like, I can tailor a control checklist for your environment (Jamf\/Intune, Defender for Endpoint, CrowdStrike, or another EDR) and map detections to MITRE techniques for macOS-focused stealers.<\/p>\n\n\n\n<ul class=\"wp-block-yoast-seo-related-links yoast-seo-related-links\">\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2025\/09\/15\/manage-macos-byod-devices-with-microsoft-intune\/\">Manage macOS BYOD Devices with Microsoft Intune<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2025\/08\/25\/run-neo4j-with-docker-inside-github-codespaces\/\">Run Neo4j with Docker inside GitHub Codespaces<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2024\/09\/13\/effortless-web-app-deployment-with-azure-cli\/\">Effortless Web App Deployment with Azure CLI<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2026\/02\/01\/protect-against-langgrinch-cve-2025-68664-in-langchain\/\">Protect Against LangGrinch CVE-2025-68664 in LangChain<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2024\/09\/10\/how-to-translate-text-using-azure-ai-translator-and-net\/\">How to Translate Text Using Azure AI Translator and .NET<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Python-based info-stealers are increasingly hitting macOS via fake installers, copy-paste \u201cfixes,\u201d and stealthy packaging. Learn how they work, what they steal, and how to harden Macs in business environments.<\/p>\n","protected":false},"author":1,"featured_media":56952,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"How Python Info-Stealers Are Targeting macOS Endpoints","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13,29],"tags":[],"class_list":["post-56951","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-microsoft-defender-xdr"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>How Python Info-Stealers Are Targeting macOS Endpoints - CPI Consulting<\/title>\n<meta name=\"description\" content=\"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Python Info-Stealers Are Targeting macOS Endpoints\" \/>\n<meta property=\"og:description\" content=\"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/\" \/>\n<meta property=\"og:site_name\" content=\"CPI Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-03T21:01:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-03T21:12:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cloudproinc.com.au\/wp-content\/uploads\/2026\/02\/post-6.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"CPI Staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"CPI Staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/\"},\"author\":{\"name\":\"CPI Staff\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/person\\\/192eeeb0ce91062126ce3822ae88fe6e\"},\"headline\":\"How Python Info-Stealers Are Targeting macOS Endpoints\",\"datePublished\":\"2026-02-03T21:01:56+00:00\",\"dateModified\":\"2026-02-03T21:12:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/\"},\"wordCount\":1406,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/post-6.png\",\"articleSection\":[\"Blog\",\"Microsoft defender XDR\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/\",\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/\",\"name\":\"How Python Info-Stealers Are Targeting macOS Endpoints - CPI Consulting\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/post-6.png\",\"datePublished\":\"2026-02-03T21:01:56+00:00\",\"dateModified\":\"2026-02-03T21:12:41+00:00\",\"description\":\"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#primaryimage\",\"url\":\"\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/post-6.png\",\"contentUrl\":\"\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/post-6.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2026\\\/02\\\/04\\\/how-python-info-stealers-are-targeting-macos-endpoints\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How Python Info-Stealers Are Targeting macOS Endpoints\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#website\",\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/\",\"name\":\"Cloud Pro Inc - CPI Consulting Pty Ltd\",\"description\":\"Cloud, AI &amp; Cybersecurity Consulting | Melbourne\",\"publisher\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cloudproinc.com.au\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#organization\",\"name\":\"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd\",\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/favfinalfile.png\",\"contentUrl\":\"\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/favfinalfile.png\",\"width\":500,\"height\":500,\"caption\":\"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd\"},\"image\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/person\\\/192eeeb0ce91062126ce3822ae88fe6e\",\"name\":\"CPI Staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"caption\":\"CPI Staff\"},\"sameAs\":[\"http:\\\/\\\/www.cloudproinc.com.au\"],\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/author\\\/cpiadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How Python Info-Stealers Are Targeting macOS Endpoints - CPI Consulting","description":"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/","og_locale":"en_US","og_type":"article","og_title":"How Python Info-Stealers Are Targeting macOS Endpoints","og_description":"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.","og_url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/","og_site_name":"CPI Consulting","article_published_time":"2026-02-03T21:01:56+00:00","article_modified_time":"2026-02-03T21:12:41+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/cloudproinc.com.au\/wp-content\/uploads\/2026\/02\/post-6.png","type":"image\/png"}],"author":"CPI Staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"CPI Staff","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#article","isPartOf":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/"},"author":{"name":"CPI Staff","@id":"https:\/\/cloudproinc.com.au\/#\/schema\/person\/192eeeb0ce91062126ce3822ae88fe6e"},"headline":"How Python Info-Stealers Are Targeting macOS Endpoints","datePublished":"2026-02-03T21:01:56+00:00","dateModified":"2026-02-03T21:12:41+00:00","mainEntityOfPage":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/"},"wordCount":1406,"commentCount":0,"publisher":{"@id":"https:\/\/cloudproinc.com.au\/#organization"},"image":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#primaryimage"},"thumbnailUrl":"\/wp-content\/uploads\/2026\/02\/post-6.png","articleSection":["Blog","Microsoft defender XDR"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/","url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/","name":"How Python Info-Stealers Are Targeting macOS Endpoints - CPI Consulting","isPartOf":{"@id":"https:\/\/cloudproinc.com.au\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#primaryimage"},"image":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#primaryimage"},"thumbnailUrl":"\/wp-content\/uploads\/2026\/02\/post-6.png","datePublished":"2026-02-03T21:01:56+00:00","dateModified":"2026-02-03T21:12:41+00:00","description":"Learn how Python info-stealers are targeting macOS endpoints in 2026 and discover effective risk reduction strategies.","breadcrumb":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#primaryimage","url":"\/wp-content\/uploads\/2026\/02\/post-6.png","contentUrl":"\/wp-content\/uploads\/2026\/02\/post-6.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/04\/how-python-info-stealers-are-targeting-macos-endpoints\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cloudproinc.com.au\/"},{"@type":"ListItem","position":2,"name":"How Python Info-Stealers Are Targeting macOS Endpoints"}]},{"@type":"WebSite","@id":"https:\/\/cloudproinc.com.au\/#website","url":"https:\/\/cloudproinc.com.au\/","name":"Cloud Pro Inc - CPI Consulting Pty Ltd","description":"Cloud, AI &amp; Cybersecurity Consulting | Melbourne","publisher":{"@id":"https:\/\/cloudproinc.com.au\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cloudproinc.com.au\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cloudproinc.com.au\/#organization","name":"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd","url":"https:\/\/cloudproinc.com.au\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cloudproinc.com.au\/#\/schema\/logo\/image\/","url":"\/wp-content\/uploads\/2022\/01\/favfinalfile.png","contentUrl":"\/wp-content\/uploads\/2022\/01\/favfinalfile.png","width":500,"height":500,"caption":"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd"},"image":{"@id":"https:\/\/cloudproinc.com.au\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cloudproinc.com.au\/#\/schema\/person\/192eeeb0ce91062126ce3822ae88fe6e","name":"CPI Staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","caption":"CPI Staff"},"sameAs":["http:\/\/www.cloudproinc.com.au"],"url":"https:\/\/cloudproinc.com.au\/index.php\/author\/cpiadmin\/"}]}},"jetpack_featured_media_url":"\/wp-content\/uploads\/2026\/02\/post-6.png","jetpack-related-posts":[{"id":56909,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/01\/29\/intune-device-type-restriction-policies-explained\/","url_meta":{"origin":56951,"position":0},"title":"Intune Device Type Restriction Policies Explained","author":"CPI Staff","date":"January 29, 2026","format":false,"excerpt":"Learn what Intune device type restriction policies are, how they work, and how to configure them to reduce risk while keeping onboarding smooth for users.","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/01\/post-10.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/01\/post-10.png 1x, \/wp-content\/uploads\/2026\/01\/post-10.png 1.5x, \/wp-content\/uploads\/2026\/01\/post-10.png 2x, \/wp-content\/uploads\/2026\/01\/post-10.png 3x, \/wp-content\/uploads\/2026\/01\/post-10.png 4x"},"classes":[]},{"id":56932,"url":"https:\/\/cloudproinc.com.au\/index.php\/2026\/02\/01\/enforce-device-compliance-with-microsoft-intune\/","url_meta":{"origin":56951,"position":1},"title":"Enforce Device Compliance with Microsoft Intune","author":"CPI Staff","date":"February 1, 2026","format":false,"excerpt":"Learn how Intune compliance policies and Entra Conditional Access work together to keep data secure. Follow practical steps to define requirements, remediate drift, and block risky devices.","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2026\/02\/post-2.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2026\/02\/post-2.png 1x, \/wp-content\/uploads\/2026\/02\/post-2.png 1.5x, \/wp-content\/uploads\/2026\/02\/post-2.png 2x, \/wp-content\/uploads\/2026\/02\/post-2.png 3x, \/wp-content\/uploads\/2026\/02\/post-2.png 4x"},"classes":[]},{"id":53831,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/09\/15\/manage-macos-byod-devices-with-microsoft-intune\/","url_meta":{"origin":56951,"position":2},"title":"Manage macOS BYOD Devices with Microsoft Intune","author":"CPI Staff","date":"September 15, 2025","format":false,"excerpt":"A practical guide to enroll, secure, and support personal Macs with Intune\u2014without ruining the user experience or sacrificing privacy.","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2025\/09\/manage-macos-byod-devices-with-microsoft-intune-the-right-way.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2025\/09\/manage-macos-byod-devices-with-microsoft-intune-the-right-way.png 1x, \/wp-content\/uploads\/2025\/09\/manage-macos-byod-devices-with-microsoft-intune-the-right-way.png 1.5x, \/wp-content\/uploads\/2025\/09\/manage-macos-byod-devices-with-microsoft-intune-the-right-way.png 2x, \/wp-content\/uploads\/2025\/09\/manage-macos-byod-devices-with-microsoft-intune-the-right-way.png 3x, \/wp-content\/uploads\/2025\/09\/manage-macos-byod-devices-with-microsoft-intune-the-right-way.png 4x"},"classes":[]},{"id":56780,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/10\/security-best-practices-for-azure-ai-services\/","url_meta":{"origin":56951,"position":3},"title":"Security Best Practices for Azure AI Services","author":"CPI Staff","date":"November 10, 2025","format":false,"excerpt":"Practical, step-by-step guidance to secure Azure AI services end to end\u2014identity, networks, data, prompts, and monitoring\u2014so your teams can innovate confidently without exposing your organisation.","rel":"","context":"In &quot;Azure AI Services&quot;","block_context":{"text":"Azure AI Services","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/azure-ai-services\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 1x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 1.5x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 2x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 3x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 4x"},"classes":[]},{"id":395,"url":"https:\/\/cloudproinc.com.au\/index.php\/2024\/07\/21\/retrieving-azure-ai-services-keys-and-endpoints-using-bicep\/","url_meta":{"origin":56951,"position":4},"title":"Retrieving Azure AI Services Keys and Endpoints Using Bicep","author":"CPI Staff","date":"July 21, 2024","format":false,"excerpt":"This Azure AI Services post will show how to retrieve Azure AI Services keys and Endpoint using Bicep deployment code. If you are not familiar with Azure Bicep, it is a Specific Domain Language (DSL) for infrastructure-as-code (iac) deployments in Azure only. Unlike other tools like Terraform, Bicep offers access\u2026","rel":"","context":"In &quot;AI&quot;","block_context":{"text":"AI","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/ai\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2024\/07\/Azure-AI-endpoint-and-key-output-using-Bicep.webp","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2024\/07\/Azure-AI-endpoint-and-key-output-using-Bicep.webp 1x, \/wp-content\/uploads\/2024\/07\/Azure-AI-endpoint-and-key-output-using-Bicep.webp 1.5x, \/wp-content\/uploads\/2024\/07\/Azure-AI-endpoint-and-key-output-using-Bicep.webp 2x"},"classes":[]},{"id":53111,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/02\/19\/add-language-keyboards-to-windows-machines-with-intune\/","url_meta":{"origin":56951,"position":5},"title":"Add Language Keyboards to Windows Machines with Intune","author":"CPI Staff","date":"February 19, 2025","format":false,"excerpt":"In this Microsoft Intune blog post, we will demonstrate the process of adding an additional language keyboard to a Windows machine using Microsoft Intune. Estimated reading time: 3 minutes Microsoft Intune is a cloud-based service that provides comprehensive management of devices, applications, and security for organizations. As part of the\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2024\/07\/Deploy-Azure-OpenAI-GPT-4o-Resource-and-Model-using-Bicep.webp","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2024\/07\/Deploy-Azure-OpenAI-GPT-4o-Resource-and-Model-using-Bicep.webp 1x, \/wp-content\/uploads\/2024\/07\/Deploy-Azure-OpenAI-GPT-4o-Resource-and-Model-using-Bicep.webp 1.5x, \/wp-content\/uploads\/2024\/07\/Deploy-Azure-OpenAI-GPT-4o-Resource-and-Model-using-Bicep.webp 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/56951","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/comments?post=56951"}],"version-history":[{"count":3,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/56951\/revisions"}],"predecessor-version":[{"id":56960,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/56951\/revisions\/56960"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/media\/56952"}],"wp:attachment":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/media?parent=56951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/categories?post=56951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/tags?post=56951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}