thanks a lot for explaining this.
So if I make a transaction, and this transaction is still in the mempool, the hacker can change it and steal it, is that what you mean?
As I said, for making a transaction from a m of n multi-signature address, you need m out of n private keys and the public keys of other private keys.
In your example, the hacker has access to three out of four private keys and he needs to know the public keys assosiated with the fourth private key.
If you have already made a transaction from your addresss (whether that's still in the mempool or it has been included in the blockchain), the hacker can get the fourth public key from the transaction data and steal your fund.
Why does he have to know the address in that case, can't he just brute force and test all the transactions in the mempool, or is that impossible?
The hacker needs to know the address, so that he can check if there's any outgoing transaction from that.
If there's an outgoing transaction, the hacker can get the fourth public key and steal your fund.
And there is nothing to brute-force here.
If the hacker knows three out of four private keys, he actually knows three public keys too. He can check all bitcoin transactions made from 3 of 4 multi-signature address. If there's a one with an input using those three public keys, he can get the fourth public key from that transaction and steal your fund.