<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 4/10/25 3:17 PM, Ryan Carsten
Schmidt wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EBB5C417-4758-43DA-B7C7-E08336271917@macports.org">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<div dir="ltr">On Apr 10, 2025, at 13:21, Forrest Aldrich wrote:</div>
<div dir="ltr">
<blockquote type="cite"><br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">My malware checker has identified potential
malware (AtomicStealer) distributed from MacPorts. I'd like
to confirm with the community what else is known:<br>
<br>
<br>
<blockquote>/Applications/MacPorts/tea.app<br>
➜ /Applications cd MacPorts<br>
</blockquote>
</div>
</blockquote>
<br>
<div>I know that tea is a text editor. </div>
<div><br>
</div>
<div><a href="https://ports.macports.org/port/tea"
moz-do-not-send="true" class="moz-txt-link-freetext">https://ports.macports.org/port/tea</a></div>
<div><br>
</div>
<div>I am not aware of it containing malware. </div>
<div><br>
</div>
<div>As far as I know, Atomic Stealer is distributed by tricking
a user into downloading and installing what looks like a
browser update or a cracked commercial application. It seems
unlikely that it would appear in an esoteric open source text
editor so my initial assumption is that this is a false
positive from your malware checker. </div>
<div><br>
</div>
<div>What is your malware checker? Have you contacted its
developer?</div>
</div>
</blockquote>
<br>
I cleaned this off my system, for now.<br>
<br>
The checker I'm using is Moonlock, which is a part of CleanMyMacX.<br>
<br>
<br>
_F<br>
<br>
<br>
</body>
</html>