SecureMac reports that variants of the Mac OS Trojan OSX/CoinThief.A, which monitors Web traffic with the aim of stealing Bitcoin wallet login credentials, were until very recently being distributed on CNET's and on MacUpdate (h/t Softpedia).

The new versions add a browser extension for Firefox, which wasn't present in previous versions of the malware.

The malware was distributed disguised as the apps "Bitcoin Ticker TTM for Mac" and "Litecoin Ticker," both of which have been available on and MacUpdate since December of 2013.

"The two variants seen by SecureMac share the same name and developer information as two apps found in Apple's Mac App Store," SecureMac explained in a blog post. "At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from"

The company also noted that on February 12, 2014, Apple updated XProtect to defend against the two known variants of the malware.

SecureMac has manual identification and removal instructions for the malware available here.

Photo courtesy of Shutterstock.