When I started writing this blog over 11 years ago, there was plenty of malware around, but unless you failed to update Flash or Java, or downloaded ‘warez’, you were most unlikely to come across any in the wild. Over the last couple of months we have been running into AMOS/SOMA stealers in poisoned search results, ready to trap the most innocent. Apple’s security engineers are being kept busy, and earlier this week updated XProtect to version 5327.

That XProtect update was unusual, as its main set of malware detection rules didn’t change, but a relatively new component underwent major revision, a file named XPScripts.yr. This checks for OSAScript contents including AppleScript, and was only introduced in XProtect 5322 on 4 November 2025. At that time it had two rules, one looking for browser names and the other for cryptocurrency and related tools identified in scripts. XProtect 5327 now has a total of 14 OSAScript rules looking for a wide range of contents typical of known malware. Checks against the rules in XPScripts.yr are called off separately from those in the main Yara rules, when the Open Scripting framework is preparing to run an OSAScript.

It might seem odd that this latest malware starts by the unsuspecting user running an obfuscated and malicious command in Terminal, then relies on OSAScript, but this lightweight approach has been proving highly effective, apparently. The best way to penetrate macOS security protection is to get the user to do it for you.

In the recent past, malicious apps coached the user through bypassing the requirement for notarization by showing them how to do it. These stealers step you through running the script they need to get started, by downloading their payload using curl, to ensure that it doesn’t get put in quarantine.

What happens next has been detailed by Stuart Ashenbrenner and Jonathan Semon of Huntress. What you’d download is a malicious bash script that runs a series of commands hosted from Terminal. This first obtains the current user’s name, then prompts them to enter their password. This is the second key stage in the attack, and it will keep trying if you fob it off with anything other than the admin user’s valid password, so it can use that to sudo its next stage into place, and start using a mixture of OSAScript scripts and a single-file Mach-O executable in a hidden file at the top level of your Home folder. Those are tucked away alongside its copy of your username and password for when it needs them next. That executable is only ad-hoc signed, though.

The malware also installs a LaunchDaemon to ensure its code is loaded during startup, and then runs its checks every second, looping all the time in the background. According to analysis of its Mach-O executable, it exfiltrates all the SmartCard data, cryptocurrency wallets, saved browser passwords, contents of keychains, and other secrets it can get its hands on.

This malware and its method of attack change rapidly as it’s detected and taken down by those inadvertently hosting it. Late last year it was exploiting ChatGPT and other AI conversations. This year it has been using articles in Medium, and will continue popping up wherever and whenever it can. Its shell scripts and OSAScripts are quick to change to evade static detection. Even its Mach-O executable is altered frequently: when Ashenbrenner and Semon saw it last year, that was named .helper. The attack seen from Medium changed that to .mainhelper, and I’m sure it has already changed identities again.

There does appear to be one unintended consequence of XProtect’s new-found skills at checking OSAScripts: you may find that XProtect Remediator’s scans run out of time more readily, and report PluginCanceled with a status code of 30 more often now. But at least once a week it should extend the period allowed for its scans long enough to complete them all.

Let’s hope that XProtect’s new checks stem the tide of this malware.

Previous reports

How online search and AI can install malware
More malware from Google search