HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

SHub macOS Infostealer ‘Reaper’ Spoofs Apple Security Updates to Steal Credentials and Crypto Wallets

A new SHub macOS infostealer variant, called Reaper, uses a fake Apple security‑update dialog to trick users into running malicious AppleScript. The malware harvests browser data, cryptocurrency‑wallet credentials, and keychain passwords, then exfiltrates them via a Telegram bot, highlighting a supply‑chain risk for macOS software.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

SHub macOS Infostealer Variant “Reaper” Spoofs Apple Security Updates to Harvest Credentials and Crypto Wallets

What Happened – A new SHub macOS infostealer, dubbed Reaper, uses the applescript:// URL scheme to launch a malicious AppleScript that mimics an Apple security‑update dialog. The script steals browser data, cryptocurrency‑wallet credentials, and keychain passwords, then exfiltrates the information via a Telegram bot.

Why It Matters for TPRM

  • Attack bypasses Apple’s recent Terminal‑command mitigations, showing that “patch‑only” defenses are insufficient.
  • The campaign distributes fake installers for popular apps (WeChat, Miro) on look‑alike domains, exposing any third‑party software supply chain you may rely on.
  • Credential harvesting targets keychain items, putting downstream SaaS services and financial systems at risk.

Who Is Affected – Enterprises and individuals using macOS devices, especially those that install third‑party collaboration tools (WeChat, Miro) from unverified sources; any vendor that supplies macOS‑based software or integrates with Apple’s ecosystem.

Recommended Actions

  • Verify the provenance of all macOS installers; enforce signed‑by‑trusted‑publisher policies.
  • Harden endpoint controls to block applescript:// URLs and enforce application‑allow lists.
  • Conduct credential‑rotation for macOS keychain passwords and cryptocurrency wallet secrets.
  • Update security awareness training to include “fake Apple update” lures.

Technical Notes – The malware leverages the applescript:// scheme to open Script Editor pre‑loaded with malicious code, then runs osascript to execute it. It checks for Russian keyboard layouts to avoid analysis environments, prompts for the macOS password, and harvests data from Chrome, Firefox, Edge, Brave, Arc, and numerous crypto‑wallet extensions (MetaMask, Phantom). Exfiltration occurs via a Telegram bot. No known CVE is directly exploited; the attack relies on social engineering and AppleScript execution. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/shub-macos-infostealer-variant-spoofs-apple-security-updates/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →