SHub macOS Infostealer Variant “Reaper” Spoofs Apple Security Updates to Harvest Credentials and Crypto Wallets
What Happened – A new SHub macOS infostealer, dubbed Reaper, uses the applescript:// URL scheme to launch a malicious AppleScript that mimics an Apple security‑update dialog. The script steals browser data, cryptocurrency‑wallet credentials, and keychain passwords, then exfiltrates the information via a Telegram bot.
Why It Matters for TPRM –
- Attack bypasses Apple’s recent Terminal‑command mitigations, showing that “patch‑only” defenses are insufficient.
- The campaign distributes fake installers for popular apps (WeChat, Miro) on look‑alike domains, exposing any third‑party software supply chain you may rely on.
- Credential harvesting targets keychain items, putting downstream SaaS services and financial systems at risk.
Who Is Affected – Enterprises and individuals using macOS devices, especially those that install third‑party collaboration tools (WeChat, Miro) from unverified sources; any vendor that supplies macOS‑based software or integrates with Apple’s ecosystem.
Recommended Actions –
- Verify the provenance of all macOS installers; enforce signed‑by‑trusted‑publisher policies.
- Harden endpoint controls to block
applescript://URLs and enforce application‑allow lists. - Conduct credential‑rotation for macOS keychain passwords and cryptocurrency wallet secrets.
- Update security awareness training to include “fake Apple update” lures.
Technical Notes – The malware leverages the applescript:// scheme to open Script Editor pre‑loaded with malicious code, then runs osascript to execute it. It checks for Russian keyboard layouts to avoid analysis environments, prompts for the macOS password, and harvests data from Chrome, Firefox, Edge, Brave, Arc, and numerous crypto‑wallet extensions (MetaMask, Phantom). Exfiltration occurs via a Telegram bot. No known CVE is directly exploited; the attack relies on social engineering and AppleScript execution. Source: BleepingComputer