The SHub Reaper macOS infostealer bypasses Apple’s March 2026 Terminal restriction by delivering payloads via the applescript:// URL scheme, requiring only a single user click on a social-engineered lure. The malware harvests browser credentials, password manager vaults, iCloud sessions, and cryptocurrency wallet seed phrases, then replaces crypto wallet binaries with trojanized versions for persistent financial theft. Note: source confidence is medium (SentinelOne research); independent verification is recommended before broad remediation deployment.