Between 2-6 May 2017, attackers compromised one of HandBrake’s macOS download mirror servers and replaced the legitimate HandBrake installer with a trojanized version containing the Proton RAT — a macOS remote access trojan sold on criminal forums. HandBrake is a free, open-source video transcoding application widely used by creative professionals and developers on macOS. The HandBrake team estimated approximately 50% of downloads during the compromised window came from the affected mirror. The Proton RAT collected macOS Keychain data (stored passwords), browser saved credentials, SSH keys, and GPG keys, and sent them to an attacker-controlled command-and-control server. The actor Maija Lehtinen was subsequently identified as the operator behind the Proton RAT. Infected users were instructed to immediately change all saved passwords, invalidate SSH keys and GPG keys, and check their Keychain for stored credentials. Corporate victims included Panic Software (maker of macOS development tools), which confirmed via Twitter that it had been infected, potentially exposing customer data. The attack was a notable early example of macOS supply chain compromise through a trusted open-source download mirror.