New Mac Malware “Reaper” Exploits Script Editor to Steal Crypto Wallets and Passwords

Reaper malware hijacks macOS’s Script Editor via fake app downloads to steal cryptocurrency wallets, browser passwords, and sensitive documents while evading detection.

Editorial Team · Jun 9, 2026 · 2 min read · Source: cryptopolitan.com

A new strain of macOS malware named Reaper targets cryptocurrency users by exploiting Apple's preinstalled Script Editor in a sophisticated attack that steals crypto wallet data, browser credentials, and sensitive documents. Unlike previous malware relying on Terminal commands, Reaper leverages AppleScript to bypass recent macOS security patches and execute concealed malicious code.

The infection begins on deceptive download sites impersonating popular apps like WeChat and Miro, often using typosquatted Microsoft domains. These fake platforms trigger the Script Editor through a specially crafted AppleScript URL, launching hidden commands disguised with ASCII art and whitespace. Once victims run the script by clicking the play button, a counterfeit Apple security update pops up, requesting their system password, which enables the malware to activate.

Reaper contains an avoidance mechanism that halts execution if the system keyboard is set to Russian, indicating possible attribution or targeting decisions by its creators. Once active, the malware deploys a data-theft module inspired by the Atomic macOS Stealer (AMOS). It strategically targets popular crypto wallet applications—including Ledger Live, Trezor Suite, and Exodus—modifying their internal code to intercept and redirect transaction operations.

Beyond wallets, Reaper harvests saved passwords from major browsers like Chrome, Firefox, and Edge, and extracts data from commonly used browser extensions such as 1Password and MetaMask. It also collects a range of document files (.docx, .pdf, .xlsx, .wallet, .keys) found in Desktop and Documents folders, compressing them into encrypted ZIP files that it uploads to a remote command-and-control server.

To maintain persistence, Reaper installs a backdoor camouflaged as a Google Software Update folder. This campaign is the latest in a series of macOS attacks employing automated AppleScript techniques that emerged in recent months. Security researchers have documented similar threats delivering malware like AMOS, Macsync, and SHub Stealer via Terminal commands initiated by fake macOS troubleshooting guides on popular web platforms.

Users are advised to exercise caution by verifying download sources before installing applications and to reject unexpected password prompts. Security tools capable of detecting obfuscated AppleScripts can provide crucial protection against such threats. Scrutiny of URLs and digital signatures remains vital to prevent falling victim to this evolving malware tactic.