SecureMac reports that variants of the Mac OS Trojan OSX/CoinThief.A, which monitors Web traffic with the aim of stealing Bitcoin wallet login credentials, were until very recently being distributed on CNET's Download.com and on MacUpdate (h/t Softpedia).
The new versions add a browser extension for Firefox, which wasn't present in previous versions of the malware.
The malware was distributed disguised as the apps "Bitcoin Ticker TTM for Mac" and "Litecoin Ticker," both of which have been available on Download.com and MacUpdate since December of 2013.
"The two variants seen by SecureMac share the same name and developer information as two apps found in Apple's Mac App Store," SecureMac explained in a blog post. "At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from Download.com."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
The company also noted that on February 12, 2014, Apple updated XProtect to defend against the two known variants of the malware.
SecureMac has manual identification and removal instructions for the malware available here.