Reaper macOS Infostealer Leverages Script Editor to Harvest Crypto Wallets and Passwords
What Happened — Threat actors have released a new variant of the SHub Stealer family, dubbed Reaper, that abuses the native macOS Script Editor to bypass built‑in security controls and exfiltrate cryptocurrency wallet files and saved passwords. The malware runs user‑level scripts that silently capture private keys and credential stores.
Why It Matters for TPRM —
- macOS endpoints are common in many enterprise environments; a breach can lead to direct financial loss and credential reuse.
- The technique circumvents traditional endpoint protection that relies on binary whitelisting.
- Third‑party vendors providing macOS device management may be unaware of this novel attack vector.
Who Is Affected — Enterprises with macOS workstations, managed service providers supporting macOS, and end‑users handling crypto assets.
Recommended Actions —
- Review macOS endpoint security controls and ensure script execution monitoring is enabled.
- Enforce strict application allow‑lists that include Script Editor usage policies.
- Verify that cryptocurrency wallets are stored in encrypted, hardware‑isolated solutions.
Technical Notes — The malware exploits the Script Editor’s ability to run AppleScript/JavaScript for Automation (JXA) without triggering Gatekeeper. No specific CVE is cited; the abuse is a novel malicious script technique. Data exfiltrated includes wallet files (e.g., .keychain, .dat) and password stores from browsers and password managers. Source: HackRead