Pearcleaner is a popular Mac app cleaner, but a fake website impersonating it is reportedly pushing malware to unsuspecting users. A PSA posted on Reddit’s r/macapps community warns that pearcleaner.com is not the real Pearcleaner website. The actual Pearcleaner project is hosted by developer alienator88 on GitHub, and its official page says the only legitimate website owned by the developer is itsalin.com. The app can also be installed through Homebrew using the official cask.
What does the fake app do?
According to the Reddit post, the fake Pearcleaner site sends users through a redirect and eventually tells them to paste a command into the Mac Terminal. That is the giant red flag. The alleged attack does not behave like a normal app installer. It uses the command to download and run scripts that are described as heavily obfuscated. The Reddit breakdown says the payload behaves like the AMOS / Atomic Stealer family of macOS infostealers, which are designed to grab sensitive data quickly and send it back to attackers.
The reported targets include saved browser passwords, cookies, session tokens, autofill data, crypto wallets, wallet extensions, Keychain-related prompts, and files from common folders such as Desktop and Documents.
Why it is scary
This Mac malware attack works because it borrows trust from a real app. Aside from the victims, even Pearcleaner is being affected by this. It is also a reminder that macOS security can only do so much if a user is tricked into manually running a command. Earlier this year, we also covered another macOS infostealer campaign that relied on users pasting a Terminal command, which makes this pattern worth watching.
The real Pearcleaner GitHub page now includes a warning that anything outside the developer’s legitimate site offering downloads is either a scam or unaffiliated. It also lists the project as on hold, with version 5.4.3 as the latest release.
