Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SHub Reaper macOS infostealer variant

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It steals browser data, crypto wallet information, and sensitive files from compromised systems while hiding its payload behind a malicious installer flow. The malware also installs LaunchAgent persistence, which can keep attacker access alive after execution.

Related Happenings

GPU cryptomining malware using ScreenConnect and SEO poisoning

Malware Activity
First: 28.05.2026 00:31 Last: 28.05.2026 00:31 Sources 1

About this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...

Open Happening

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Open Happening

Timeline

  1. 19.05.2026 00:42 2 articles · 9d ago

    SentinelOne identifies SHub Reaper macOS infostealer

    Initial Disclosure

    SentinelOne identified Reaper, a new SHub macOS infostealer variant that uses an applescript:// URL scheme to open Script Editor with malicious AppleScript, shows a fake Apple security update referencing XProtectRemediator, steals browser data and crypto wallets, targets iCloud, Telegram, and developer files, grabs sensitive files from Desktop and Documents, installs LaunchAgent persistence, and can extend access with remote payload execution; the lure uses fake WeChat and Miro installers and the malware exits on systems with Russian keyboard/input.

    Show sources
    Open in new tab