Two New macOS Malware Strains Target Developer Credentials

Mosyle Security identified two new macOS malware strains, Phoenix Worm and ShadeStager, that target developer credentials and cloud authentication data ^[1].

These threats represent a significant security risk because they specifically target the tools used by software engineers to build and deploy applications. By harvesting long-lived developer tokens and SSH keys, attackers can impersonate trusted entities to gain persistent access to secure cloud environments and code repositories ^[2].

The malware is designed to steal a wide array of sensitive data, including Azure, AWS, and Google Cloud credentials ^[3]. It also targets Kubernetes configurations, Git and Docker authentication data, and browser profiles ^[3]. This comprehensive collection of data allows attackers to move laterally across corporate networks and cloud infrastructure ^[2].

One of the most critical features of these strains is their ability to bypass Apple’s Gatekeeper ^[3]. Gatekeeper is intended to ensure that only trusted software runs on macOS, but these threats can make malicious applications appear signed — a tactic that allows them to evade detection by many antivirus engines ^[4].

Mosyle Security said it discovered these two distinct strains on April 22, 2026 [1, 5]. The firm said the malware targets macOS devices worldwide ^[1]. According to reports, as many as 100 million macOS devices could potentially be affected ^[6].

The attackers focus on harvesting credentials that provide long-term access rather than short-term session tokens ^[2]. This strategy ensures that even if a user changes a password, the stolen developer keys may still provide a backdoor into the system ^[2].