Reaper Malware Exploits macOS Script Editor to Steal Crypto Wallet Credentials

A new malware strain targets macOS by hijacking the trusted Script Editor app to silently extract cryptocurrency wallet data from unsuspecting users.

Editorial Team · Jun 9, 2026 · 2 min read · Source: coincu.com

Security researchers have uncovered a malware active on macOS systems that exploits Apple’s native Script Editor application to steal sensitive cryptocurrency wallet information. Known as Reaper, the malware abuses this trusted, Apple-signed tool to run malicious scripts, allowing it to avoid detection by traditional security measures while accessing users’ wallet credentials and related files.

Unlike conventional malware that uses suspicious executables, Reaper's strategy centers on leveraging legitimate macOS functionality. Script Editor, designed for running AppleScript and JavaScript for Automation (JXA), is implicitly trusted by macOS security frameworks. Reaper hijacks this trusted environment, enabling the malware to execute harmful tasks without triggering Gatekeeper warnings or notarization alerts. This sophisticated approach ensures users and endpoint defense tools are less likely to spot the intrusion until data has been exfiltrated.

Crypto wallets do not store actual cryptocurrencies on local devices; instead, they hold private keys, seed phrases, and access credentials necessary to control funds on the blockchain. Malware like Reaper targets these critical access points by harvesting files related to wallet applications, browser extensions, saved passwords, and backup seeds maintained locally. Once compromised, these credentials allow attackers to reconstruct or import wallets on separate devices, effectively seizing control over the victim’s assets. Unlike passwords for standard accounts, private keys and seed phrases cannot be reset, meaning stolen crypto access can result in permanent loss of funds unless assets are transferred out promptly.

Reaper’s attack chain reportedly begins by spoofing well-known brands, including Apple, Google, and Microsoft, to deceive victims into triggering the malware’s payload. The use of recognized brand identities adds credibility to the initial infection vector, increasing the likelihood that users will inadvertently execute the malicious script.

Mac users have often believed their platforms are safer from malware compared to Windows. This perception may discourage some from installing specialized endpoint protection or closely monitoring system-level activity, making them a particularly vulnerable group for such targeted attacks.

Users suspecting Reaper infection should immediately disconnect from networks and run thorough security scans using updated antivirus or endpoint detection tools specifically equipped for macOS. Restoring from recent backups and changing credentials associated with cryptocurrency wallets are critical steps to mitigate potential damage.