M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

by

The second known piece of malware that has been compiled to run natively on M1 Macs has been discovered by security firm Red Canary.

m1 mac mini screen
Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat that the malware poses remains a mystery.

Nevertheless, Red Canary said the malware could be "a reasonably serious threat":

Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

According to data provided by Malwarebytes, "Silver Sparrow" had infected 29,139 macOS systems across 153 countries as of February 17, including "high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany." Red Canary did not specify how many of these systems were M1 Macs, if any.

Given that the "Silver Sparrow" binaries "don't seem to do all that much" yet, Red Canary referred to them as "bystander binaries." When executed on Intel-based Macs, the malicious package simply shows a blank window with a "Hello, World!" message, while the Apple silicon binary leads to a red window that says "You did it!"

you did it silver sparrow
Red Canary shared methods for detecting a wide array of macOS threats, but the steps are not specific to detecting "Silver Sparrow":

- Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

The first piece of malware capable of running natively on M1 Macs was discovered just days ago. Technical details about this second piece of malware can be found in Red Canary's blog post, and Ars Technica has a good explainer as well.

Tag: M1 Guide

Popular Stories

iOS 26

iOS 26.3 and iOS 26.4 Will Add These New Features to Your iPhone

Tuesday February 3, 2026 7:47 am PST by
While the iOS 26.3 Release Candidate is now available ahead of a public release, the first iOS 26.4 beta is likely still at least a week away. Following beta testing, iOS 26.4 will likely be released to the general public in March or April. Below, we have recapped known or rumored iOS 26.3 and iOS 26.4 features so far. iOS 26.3 iPhone to Android Transfer Tool iOS 26.3 makes it easier...
Read Full Article35 comments
imac video apple feature

Apple Makes Its Second-Biggest Acquisition Ever

Tuesday February 3, 2026 12:45 pm PST by
Apple recently acquired Israeli startup Q.ai for close to $2 billion, according to Financial Times sources. That would make this Apple's second-biggest acquisition ever, after it paid $3 billion for the popular headphone maker Beats in 2014. This is also the largest known Apple acquisition since the company purchased Intel's smartphone modem business and patents for $1 billion in 2019....
Read Full Article
iOS 26 Home Feature

Apple Gives Final Warning to Home App Users

Tuesday February 3, 2026 8:55 am PST by
In 2022, Apple introduced a new Apple Home architecture that is "more reliable and efficient," and the deadline to upgrade and avoid issues is fast approaching. In an email this week, Apple gave customers a final reminder to upgrade their Home app by February 10, 2026. Apple says users who do not upgrade may experience issues with accessories and automations, or lose access to their smart...
Read Full Article69 comments
Apple Logo Zoomed

Tim Cook Teases Plans for Apple's Upcoming 50th Anniversary

Thursday February 5, 2026 12:54 pm PST by
Apple turns 50 this year, and its CEO Tim Cook has promised to celebrate the milestone. The big day falls on April 1, 2026. "I've been unusually reflective lately about Apple because we have been working on what do we do to mark this moment," Cook told employees today, according to Bloomberg's Mark Gurman. "When you really stop and pause and think about the last 50 years, it makes your heart ...
Read Full Article140 comments
maxresdefault

M5 Pro and M5 Max MacBook Pro Launch Imminent as Reseller Stock Dwindles

Tuesday February 3, 2026 12:12 pm PST by
New M5 Pro and M5 Max MacBook Pro models are slated to launch in the near future, according to information shared with MacRumors by an Apple Premium Reseller. Subscribe to the MacRumors YouTube channel for more videos. The third-party Apple retailer said that MacBook Pro stock is very low currently because there is an imminent new product introduction. Apple typically coordinates supply with...
Read Full Article149 comments

Top Rated Comments

Vol Braakzakje Avatar
Vol Braakzakje
65 months ago
it’s Intel that tries to get people afraid to buy M1s
Score: 22 Votes (Like | Disagree)
chachawpi Avatar
chachawpi
65 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
Score: 14 Votes (Like | Disagree)
Joniz Avatar
Joniz
65 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
Because it’s nice to hear that more developers are porting to Apple Silicon.

It’s a feel-good article.
Score: 14 Votes (Like | Disagree)
CmdrLaForge Avatar
CmdrLaForge
65 months ago
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?
Score: 10 Votes (Like | Disagree)
Populus Avatar
Populus
65 months ago
Well, color me concerned.

Is this threat capable of infecting without our consent? (This is, allowing privileges when it tries to install itself). You know, requiring us to put the system password when required. Because otherwise, we should be safe just installing only from well known sources. Or Open Source software.

By the way thank you MacRumors (@Joe Rossignol, @arn) for letting us know about this issues. Just like on other issues like staingate and the butterflykeyboardgate, It is great that you report all this problems even if some people don’t like to hear about them.
Score: 9 Votes (Like | Disagree)
Populus Avatar
Populus
65 months ago

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.
Actually -and anyone who thinks I am wrong, please correct me- I think this threat is the same for Intel and M1 macs. It is compiled for both architectures.
Score: 8 Votes (Like | Disagree)
Read All Comments