1 Check first
Check LaunchDaemons and LaunchAgents
This is where macOS persistence lives. Infostealers install plist files here so they restart automatically after a reboot — and they name themselves to look like Apple.
-
Start here
List everything set to auto-start
AMOS disguises its persistence as Apple services — labels like
com.apple.accountsd,com.apple.service,com.finder.helper. The label looks like Apple, but the plist points at a hidden script in your home directory or/var/tmp/. See how to tell the real from the fake com.apple.accountsd.# List all LaunchDaemons (system-wide, often requires sudo to see contents) ls -la /Library/LaunchDaemons/ # List user-level LaunchAgents ls -la ~/Library/LaunchAgents/ # List system-level LaunchAgents ls -la /Library/LaunchAgents/What to look for:
- Labels that mimic Apple naming (
com.apple.*) but were not installed by Apple — open the plist and check theProgramArgumentspath. If it points at a hidden dotfile or a script in your home directory, that is not Apple. - Plist files created recently or at an unexpected date — check the file modification timestamp.
- Watchdog loops: a daemon whose sole job is to relaunch another process every few seconds. Look for
StartIntervalvalues under 60 in the plist.
# Read a suspicious plist to see what it actually runs cat /Library/LaunchDaemons/<suspect-label>.plist # Check for hidden payload dirs that mimic Apple naming ls -la ~/Library/Application\ Support/.com.apple.* 2>/dev/nullWhy antivirus misses this: AV may quarantine the active binary but leave the plist (root scaffolding) loaded. The daemon is still registered with launchd. A green dashboard means no new detections — not that the persistence is gone. - Labels that mimic Apple naming (
2 Check for dropped files
Hidden files the malware writes near the payload
AMOS captures your login password and stages browser data in short hidden files. These are often the clearest proof something ran.
-
Look for captured credentials and staging files
The malware writes your password to a small hidden file — often with a name like
.pass,.pw, or something similarly short — so it can use it for privilege escalation. It also stages browser data (cookies, saved passwords, extensions) before exfiltrating.# List hidden files in your home directory ls -la ~/.[!.]* # Look for short hidden files that could be captured passwords find ~ -maxdepth 2 -name ".*" -type f -size -1k -newer /var/log/install.log 2>/dev/null # Check for hidden dirs that mimic Apple in Application Support ls -la ~/Library/Application\ Support/.* 2>/dev/nullWhat to look for:
- Short hidden files you did not create — especially anything containing what looks like a password or token.
- Hidden directories in
~/Library/Application Support/that mimic Apple naming (e.g..com.apple.accountsd). - Browser data copies (cookies databases, login JSON) outside the normal browser profile path.
If you find a file that contains your password in plaintext: stop. Do not delete it yet — it is evidence. Change that password immediately from a clean device, then preserve the file to an external drive before removing it.
3 Check running processes
Look for processes running from unexpected paths
Legitimate macOS processes run from /System/, /usr/, or /Applications/. An infostealer's binary runs from /var/tmp/, a hidden directory, or a user-writable path.
-
Audit process paths
Look for any process whose binary path is somewhere you wouldn't expect system software to live.
/var/tmp/and hidden dotfile directories are common AMOS staging locations.# Show all running processes with full paths ps aux # Filter for processes running from suspicious locations ps aux | grep -E '/var/tmp|/\.\w' # Check what is currently loaded by launchd launchctl list | grep -v "com.apple"What to look for:
- Processes running from
/var/tmp/,/tmp/, or any hidden directory (path containing/.). - Process names that mimic Apple services but run from a user-writable path instead of
/System/or/usr/. - Any process with a name you do not recognize — especially if it started recently and uses network connections.
# Check active network connections for unknown processes lsof -i -P | grep ESTABLISHEDCheck outbound connections: an infostealer's entire job is to phone your data out. If a process you don't recognize has an established network connection, note the remote IP and the process name. That is the signal. - Processes running from
4 Run the free scanner
Automate all of the above with one script
The checks above are exactly what the free scanner does — in a read-only POSIX script you can audit before running. No network calls, no sudo, no changes to your system.
-
Download, read, then run the scanner
hardenmac-scan checks for the known AMOS launchd labels, the watchdog relaunch loop, captured-password files, known command-and-control domains, and processes running from suspicious paths.
# Download the scanner git clone https://github.com/thatswhatworks/hardenmac-scan.git cd hardenmac-scan # Read the script before running it — never trust blind cat scan.sh # Run it chmod +x scan.sh ./scan.sh- Read-only: the script does not modify your system, does not require
sudo, and makes no network calls. - Open source: every line is readable before you run it. That is the point.
- Never pipe a script from the internet into your shell —
curl | bashis literally how a lot of these infostealers get installed. Download it, read it, then run it.
Why a script instead of an app? Because an app that asks for permissions is the same pattern the malware uses. A shell script that reads and reports is the lowest-trust, most-auditable format. You can see exactly what it does. - Read-only: the script does not modify your system, does not require
5 Check shell history
Look for delivery-vector artifacts
The infection started somewhere. Your shell history may still have the evidence — especially if it came in through a curl|bash install or an osascript privilege-escalation trick.
-
Search history for suspicious patterns
The ClickFix/Terminal-paste trick — where a website or ad instructs you to paste a command into Terminal — is the single most common Mac infection vector right now. Your history is the evidence trail.
# Search for curl|bash or curl|sh patterns (the classic pipe-to-shell) history | grep -iE 'curl.*\|.*(bash|sh|zsh)' # Search for osascript privilege escalation history | grep -i 'osascript' # Check the raw history file for anything your session history doesn't show grep -iE 'curl.*\|.*(bash|sh)|osascript|sudo.*bash' ~/.zsh_history 2>/dev/null grep -iE 'curl.*\|.*(bash|sh)|osascript|sudo.*bash' ~/.bash_history 2>/dev/nullWhat to look for:
curl|bashorcurl|shpatterns: any install script piped directly from the internet into a shell. This is the delivery mechanism.osascriptcommands: AppleScript can pop a fake system dialog asking for your admin password. If you seeosascript -ein your history and you don't remember writing AppleScript, investigate.- Commands you don't remember running: the malware may have run commands as your user. Anything unfamiliar in your history is worth investigating.
6 If you find something
What to do if any of these checks turned up something suspicious
The priority is not cleaning the machine. The priority is rotating credentials from a device you trust.
-
Do this now
Rotate credentials from a different, clean device
Use your phone or another known-good computer — not the suspect Mac. Anything you type into a compromised machine can be captured again.
- Password-manager master password — then check its activity log for unfamiliar sign-ins.
- API keys and developer tokens: GitHub, cloud providers, CI, package registries, AI/LLM keys. Regenerate SSH keys.
- Apple ID and Google: change passwords, review trusted devices, set a recovery key.
- Financial accounts and anything with money attached.
- Sign out of all browser sessions everywhere — stored cookies were stealable, so a password change alone is not enough.
-
Then follow the full recovery checklist
The recovery checklist walks through everything after credential rotation: preserving evidence, auditing persistence, the wipe-vs-clean decision, rebuilding clean, and hardening so it cannot sit silently again. If AV already flagged something, read why quarantine alone isn't enough before you trust a clean report.
FreeThe Mac Infostealer Recovery & Hardening Checklist — full sequence, ungated, no signup→
Common questions
What people ask when they suspect an infection
Based on the real incident and documented AMOS/Poseidon-class behavior. Further reading: Objective-See · Apple Platform Security guide · CISA.
Will antivirus detect an infostealer on my Mac?
Not reliably. The AMOS/Poseidon family disguises persistence as Apple system processes. In the real incident this guide is built from, antivirus reported the machine clean while a root LaunchDaemon was still loaded and running. AV may remove the active binary while leaving root scaffolding intact. A green dashboard means no new detections — not a clean machine.
What are the signs my Mac has an infostealer?
Check for LaunchDaemons or LaunchAgents with labels that mimic Apple naming (com.apple.accountsd, com.apple.service) but point at hidden scripts in your home directory. Look for short hidden files near the payload (captured credentials), processes running from /var/tmp/ or hidden directories, and curl|bash patterns in your shell history. The free scanner automates these checks.
How do Mac infostealers get installed?
The most common vectors are fake developer tool installers, cloned documentation pages, malvertising in search results, and the ClickFix/Terminal-paste trick where a website instructs you to paste a command into Terminal. Supply-chain attacks via poisoned npm or PyPI packages are also documented. In every case, the malware runs as your user account — everything your account can reach is exposed.
Should I wipe my Mac if I find malware?
When in doubt, wipe. A machine that carried root persistence for any meaningful period cannot be trusted in place. Removing what you can see does not tell you what you cannot. A clean reinstall takes a few hours; trusting a still-dirty machine with your credentials is the more expensive mistake. The one exception: a single clearly identified item caught immediately, where careful manual removal may be sufficient.
What should I do first if I think my Mac is infected?
Rotate credentials from a different, clean device — not the suspect Mac. Anything you type into a compromised machine can be captured again. Change your password-manager master password, API keys, SSH keys, cloud tokens, and sign out of all browser sessions everywhere. Then follow the full recovery checklist.
Referenced tools
Source links only — each goes to the tool's official home, so you install from the original maintainer. Nothing is bundled or redistributed.
The recovery checklist covers what to do next.
If any of the checks above raised a flag, the recovery checklist walks through credential rotation, the wipe-vs-clean decision, rebuilding clean, and hardening so an infostealer cannot sit silently again. Free, ungated, no signup.
Need more than a checklist? The full playbook has the scripts, prebuilt configs, and decision trees that do the parts a checklist can't.
Read the recovery checklist