macOS Safety Tips In Light Of The ChromeLoader Campaign

Almost every outlet had some version of these four bullets (via Malwarebytes) when it comes to advice regarding how to prevent similar, future attacks:

  • Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
  • In Chrome, Click the More icon, then More Tools -> Extensions. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
  • Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
  • Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

From what I understand, the first bullet was the cause of much of the pain for folks (so def avoid risky behavior moving forward is 100% the first step to help prevent future attacks).

I have a hard time recommending non-enterprise-grade endpoint security solutions. Most clever attacks easily bypass non-enterprise solutions (and also bypass many enterprise solutions until rulesets get updated).

Having said that, LuLu, KnockKnock, BlockBlock, and RansomWhere? from ObjectiveSee ( are default installs for me on any new Mac and can help notify you when things start to go awry on your system (early behavioral detection is one of the only methods to quickly stop attacks like this). They’re free, but def drop some coin if you can. They do good work. If running something besides Apple’s own (hidden) anti-malware agent will make you feel better, Malwarebytes is what I recommend.

Be very picky with browser extensions. I run with a very limited set of them, and most of the ones I use are safety-related:

– uBlock Origin (; I have nearly every rule enabled
– Disconnect (
– Trace (

Their URL/domain/IP lists are updated weirdly fast and they also block alot of malicious adverts on pages. It does mean having to spend some time each week tweaking settings for various new sites. Your world will be more painful after installing them, but it’s worth it (and you’ll be amazed how nice the web looks again).

I’d say “don’t use Chromium-based browsers” but WebKit-based browsers have their fair share of attacks & weaknesses. Having said that, running something besides Chrome from Google-proper can help. When forced to use a Chromium browser, I use Vivaldi ( and have all the safety features enabled by default, and only whitelist sites I absolutely need to access.

My main, daily brwoser of choice is Orion ( It’s WebKit-based (like Safari) but it’s wrapped in a different shell and has more Safety features than Safari. It also supports Chrome extensions, so I have uBlock, Disconnect, and Trace installed in it. I also default every site into “Reader” mode on Orion, and only enable sites I really trust to be in non-Reader mode. That’ll prevent a ton of popups on its own.

If, for some reason, you need to use Chrome-proper, run with the Chrome Beta channel version ( It’s weeks ahead of the Stable releases, which can help protect from malware that relies on vulnerabilities in the Stable release.

Always let Chromium- and WebKit-based browsers update when you get the prompt or the toolbar icon tells you to. You have to be a bit careful if it’s a dialog prompt (like Orion) since some malicious sites pop up similar looking ones.

Use something else besides in-built browser password managers. I use Bitwarden ( personally and my workplace uses 1Password ( Don’t set either to never lock.

Enable multi-factor authentication on EVERY site you can, and consider deleting accounts on ones that don’t. Try to use sites that work with apps like Duo ( or Microsoft Authenticator ( For the latter, if a site works with their “tap the number” feature, use it.

I also always run macOS new betas. That causes alot of pain, sometimes, but it also catches many malware families off guard. This is not something everyone can easily do, but definitely consider it.

I wish the advice were easier and more bulletproof, but the modern threat landscape is pretty complex and dangerous.