Three ClickFix social-engineering campaign waves between November 2025 and February 2026 delivered the MacSync infostealer to macOS users by impersonating AI tools including ChatGPT and Claude Code, tricking users into manually executing malicious Terminal commands that bypassed automated defenses and enabled credential theft and cryptocurrency wallet drainage across Exodus, Atomic, Ledger, and Ledger Live. The payload is behavior-driven with no CVE, and delivery infrastructure leverages Cloudflare Pages, Squarespace, and Tencent EdgeOne, complicating domain-based blocking. Priority actions are user awareness training targeting the ClickFix lure pattern, EDR detection rules for browser-spawned osascript and Terminal processes, and monitoring of macOS endpoints used by developer and AI tooling users with cryptocurrency wallet access.