New macOS infostealer impersonates Apple, Microsoft, and Google in a single attack chain

SentinelOne researchers describe Reaper, a SHub macOS infostealer variant that impersonates Apple, Microsoft, and Google to deliver malicious AppleScript via the applescript:// URL scheme and typo-squatted fake installer pages. The malware fingerprints victims, exfiltrates browser data, Keychain items, developer files, Telegram sessions, and cryptocurrency wallets (attempting to replace wallet app.asar files), uses a Filegrabber to collect user documents, and achieves persistence by installing a LaunchAgent under a GoogleUpdate-like path; the report includes IoCs and detection recommendations.