Malicious Cryptominer Distributed by MacUpdate Hack
The MacUpdate site was hacked on 1 February 2018, and the attackers slipped malicious code into updates for Firefox, OnyX, and Deeper that would use CPU cycles on infected machines to mine cryptocurrency. Malwarebytes has instructions for removing the malware. Although MacUpdate removed the offending updates quickly, the moral of the story is that it’s always best to update an app from inside the app itself or via the developer’s Web site.
I finally feel vindicated. Homebrew, the App Developer's website, and the Mac Apps Store are the only places one should be at when downloading Mac-centric apps.
Chad at MacUpdate claims that they were not hacked. But it may be a distinction without a difference. Be that as it may, Malwarebytes offers a more readable explanation than MacUpdate does. So give them props.
In the meantime I'm not running macOS X 10.13 except on a test platform, from which I did not launch either Onyx or Deeper, though I have them both installed. So I replaced them, as instructed. As for Firefox, I found I was only running 58.0.1 and updated from within the app, so I think I'm clean. I found none of the suspect files in my Sierra user folder. I'll have to check 10.13 when I boot into it again.
That said, I don't use any bitcoin currency so I'm no sure what they could mine.
As for MacUpdate, as far as I know this is the first time they have been exploited in this way. They are usually reliable. Of course some of the software they offer there is crap, but that's another story. And it's not like you can't get amateur software at the Mac App Store.
But thank you to TidBITS for letting us know.
Mining is not stealing cryptocurrency from you. Mining involves performing a lot of CPU-intensive math to "earn" a unit of currency. Once it's generated, the miners copy it from your computer to a "wallet" of theirs somewhere.
The cost to you is possibly some noticeably slower performance and an increased electricity bill.