What is Reaper malware?

Reaper is a newly identified macOS malware strain designed to steal cryptocurrency wallet data, browser credentials and sensitive files. It specifically targets Mac users through fake software download pages and deceptive security prompts.

How does Reaper infect Mac computers?

The malware is distributed through fake websites impersonating legitimate applications such as WeChat and Miro. Victims are tricked into opening Apple's Script Editor and executing hidden malicious code disguised within AppleScript commands.

Why is Reaper different from previous Mac crypto malware?

Earlier campaigns typically relied on convincing users to paste malicious commands into Terminal. Reaper bypasses Apple's recent Terminal-related security improvements by abusing Script Editor, another built-in macOS application.

What is Script Editor and why is it being exploited?

Script Editor is a preinstalled Apple application used to run AppleScript automation commands. Attackers use it because many users are unfamiliar with its security risks and may trust prompts that appear to come from built-in macOS tools.

Which crypto wallets does Reaper target?

Researchers say Reaper specifically targets popular crypto applications including Ledger Live, Trezor Suite and Exodus. The malware can modify wallet software to intercept future transactions and potentially redirect funds to attackers.

Can Reaper steal MetaMask and password manager data?

Yes. The malware reportedly harvests credentials from browser extensions including MetaMask and 1Password. It also targets saved passwords stored in browsers such as Chrome, Firefox and Edge.

How does Reaper trick users into trusting the attack?

The campaign uses typosquatted domains that closely resemble legitimate websites and displays fake Apple security update prompts. Victims are often asked to enter their Mac password, giving the malware elevated access to the system.

What information can Reaper steal besides crypto assets?

Reaper can collect documents, spreadsheets, PDFs, wallet files and credential databases. According to researchers, files found in Desktop and Documents folders are compressed and uploaded to remote command-and-control servers.

Image for illustrative purposes only. Not a real photo.

Reaper malware targets Mac crypto wallets

Written by Heidi Cuthbert Published Jun 9, 2026, 7:35 AM

A newly identified macOS malware strain known as Reaper is targeting cryptocurrency users by stealing wallet data, browser credentials and sensitive files through a social engineering campaign that exploits Apple's built-in Script Editor application.

The malware is distributed through fake download pages impersonating popular software such as WeChat and Miro, tricking users into launching malicious AppleScript code hidden behind deceptive prompts.

Unlike earlier attacks that relied on persuading users to paste commands into Terminal, Reaper uses AppleScript URLs to open Script Editor, allowing attackers to bypass security measures introduced in recent macOS updates.

Researchers said the malicious code is concealed using ASCII art and whitespace, making it appear harmless to users who unknowingly execute the hidden commands by clicking the play button within Script Editor.

The campaign also uses typosquatted domains designed to mimic legitimate websites and displays fraudulent Apple security update prompts that request a victim's system password to gain elevated access.

Once installed, Reaper targets cryptocurrency applications including Ledger Live, Trezor Suite and Exodus, while also harvesting credentials from browsers such as Chrome, Firefox and Edge, along with extensions including MetaMask and 1Password.

The malware can compress and exfiltrate documents, spreadsheets, wallet files and other sensitive data to remote servers before establishing persistence through a backdoor disguised as a Google Software Update directory, prompting security researchers to urge users to verify download sources and avoid entering passwords into unexpected prompts.