It would be so interesting to get more details about the initial compromise. What was the engineer trying to do that ended up with downloading PTX-Player.dmg and (probably) the PTX.app installed in /Applications? Was it targeted directly at CircleCI or is this some generic info stealer? What AV / endpoint security solution were they using? Did it pass the built-in macOS protections (gatekeeper, xprotect, etc)? Public VirusTotal seems to know nothing about that hash.