Fake BlueWallet steals passwords, accounts, and crypto from Macs

A malicious campaign impersonating BlueWallet hosts a fake download page that coerces Mac users to open an AppleScript which downloads a hidden shell payload (.sysupd.sh). The payload creates a hidden working directory, weakly obfuscates configuration, harvests browser data, desktop and extension wallets, password manager and 2FA artifacts, SSH/AWS/GPG files, and notes, establishes persistence via a LaunchAgent, continuously hijacks clipboard crypto addresses (BTC/ETH/SOL) to replace them with attacker-controlled addresses, and exfiltrates data and accepts commands over a Telegram bot channel; indicators include a SHA-256 for the AppleScript, two hostile domains, and three cryptocurrency addresses used for clipboard substitution.