Security researchers at Mosyle disclosed two previously unknown macOS malware families on April 22, naming them Phoenix Worm and ShadeStager. Both bypassed existing antivirus signatures, establishing a stealthy foothold before extracting sensitive developer material. The pair illustrate a shift toward long‑term persistence, targeting credentials rather than quick ransomware payouts. By stealing these tokens, attackers can move laterally into cloud services.

Phoenix Worm acts as a Go‑based stager that runs on macOS, Linux and Windows. It contacts a remote server, assigns a unique ID and streams device data over encrypted channels while checking for sandbox indicators. ShadeStager then extracts SSH keys, cloud tokens for AWS, Azure and Google, Kubernetes configs, Git and Docker credentials, plus browser profiles, exfiltrating everything via HTTPS that blends with normal traffic.

Both tools rely on dynamic configuration rather than hard‑coded command‑and‑control addresses, making network‑level blocking difficult. Because they harvest credentials that grant access to code repositories and cloud infrastructure, a single compromised Mac can jeopardize entire development pipelines. Enterprises should prioritize behavioral monitoring, strict credential auditing, and limiting script execution to mitigate this emerging threat in organizations.