SHub Reaper macOS Infostealer Spoofs Apple Security Updates

Mac users and administrators should watch a new SHub Reaper infostealer campaign that disguises itself as trusted software and security-update workflows. AppleInsider, citing SentinelOne research, says the malware abuses AppleScript and familiar Apple, Google, and Microsoft-style branding to steal passwords, cryptocurrency wallets, browser data, files, and sessions from macOS systems.^[1]

This campaign matters because it moves beyond a simple one-shot stealer. Earlier SHub variants relied on fake installers and ClickFix-style instructions that pushed victims into Terminal. Reaper shifts execution into Script Editor through the applescript:// URL scheme, displays fake security-update content, asks for the macOS password during later stages, and installs persistence that resembles Google’s update infrastructure.^[1]

What SHub Reaper steals and what to check first

The infection chain starts on malicious websites that fingerprint visitors before delivering payloads. Reported checks include system details, WebGL data, VPN indicators, browser extensions, virtual-machine signals, password managers, and wallet extensions. Anti-analysis logic can interfere with developer tools and show an access-denied page when research activity is detected.^[1]

SentinelOne’s reported behavior includes theft from major browsers such as Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion, plus cryptocurrency wallet applications including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite. The newer build also adds an AMOS-style file grabber that searches Desktop and Documents for business and financial files, compresses the collection, and uploads it to command-and-control infrastructure in chunks.^[1]

The persistence detail is important. SHub Reaper can create a fake GoogleUpdate.app structure and a LaunchAgent resembling Google Keystone update behavior that runs repeatedly. That makes casual review harder, because the name looks like legitimate vendor maintenance. Administrators should compare installed LaunchAgents against known-good baselines instead of trusting labels that mention Google, Apple, or Microsoft.

For personal Macs, the practical rule is direct: Apple security updates do not require opening Script Editor and clicking “Run” from an unknown website. If a page claims that a manual update is required, close it, update through System Settings or the vendor’s official site, and avoid entering the macOS password into prompts that appear after suspicious downloads. Users who recently ran an unexpected script should rotate important passwords from a clean device and check wallet and Telegram sessions.

For managed fleets, triage should focus on recent applescript:// launches, osascript execution, new LaunchAgents under user Library paths, unexpected GoogleUpdate-like directories, and outbound traffic from Script Editor or shell processes. Because the malware targets browsers, wallets, files, and sessions, a confirmed infection should be treated as credential exposure, not just endpoint cleanup.

This is part of a broader social-engineering pattern. Howtofix.guide has covered related tactics in ClickFix-style malware prompts, fake update downloader campaigns, and a recent fake AI repo infostealer. SHub Reaper uses macOS-specific tools, but the defensive lesson is the same: trusted-looking update language is not proof of trust.

References

1. AppleInsider. New infostealer malware hides on Mac disguised as official Apple tools. Published May 18, 2026.
2. SentinelOne. SHub Reaper macOS stealer spoofs Apple, Google, and Microsoft in a single attack chain. Published May 2026.
3. The Hacker News. Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More. Published May 18, 2026.