Malware Reaper steals cryptocurrency wallet data by hijacking the macOS Script Editor

According to Cryptopolitan, a new type of macOS malware named Reaper is spreading through fake download pages of applications like WeChat and Miro, targeting the theft of cryptocurrency wallet data, browser passwords, and sensitive documents. This malware exploits the AppleScript URL to trigger the system's built-in script editor, hiding malicious code through ASCII art and spaces. After users click the run button, a fake Apple security update pop-up lures victims into entering their computer passwords.

Reaper targets desktop cryptocurrency applications such as Ledger Live, Trezor Suite, and Exodus, modifying the internal code of wallets to intercept future transactions and redirect funds. It also steals saved credentials from Chrome, Firefox, and Edge, extracting files like .docx, .pdf, and .wallet from the desktop and documents folder. Reaper also installs a backdoor disguised as a Google software update directory for persistent attacks. Security experts advise users to verify download links, avoid entering passwords in unexpected pop-ups, and immediately close the page if a website requests to open the script editor.