Three coordinated ClickFix social-engineering campaigns between November 2025 and February 2026 delivered the MacSync infostealer to macOS users by impersonating AI tools including ChatGPT and Anthropic Claude Code. Targeted users were tricked into manually executing malicious terminal commands, bypassing automated defenses and enabling credential theft and cryptocurrency wallet drainage across Exodus, Atomic, Ledger, and Ledger Live. Organizations with macOS fleets, developer teams using AI tooling, and employees holding cryptocurrency assets face elevated risk from an evolving, shared delivery infrastructure that resists domain-based blocking.