New macOS Malware notnullOSX Targets Crypto Wallets Over $10K

The emergence of notnullOSX marks a significant escalation in macOS‑focused cybercrime, reflecting a broader trend where attackers zero in on high‑value cryptocurrency holdings. While macOS has traditionally been viewed as a relatively secure platform, the rapid growth of digital assets has attracted sophisticated threat actors who now blend classic social‑engineering ploys—such as counterfeit Google Docs alerts—with native macOS command‑line exploits. By leveraging a seemingly innocuous Terminal command, the malware sidesteps Apple’s Gatekeeper, gaining the foothold needed to request Full Disk Access and silently siphon credentials from iMessage, Notes, and Safari.

Beyond credential theft, notnullOSX employs a multi‑layered distribution strategy that includes a hijacked YouTube channel promoting a fake version of the WallSpace app. The video garnered 50,000 views in two weeks, illustrating how attackers exploit existing content ecosystems to reach tech‑savvy audiences. Once installed, the backdoor remains active, allowing operators to push updates or new modules at will. The most alarming capability is the ReplaceApp feature, which swaps legitimate wallet managers like Ledger Live and Trezor with malicious stand‑ins, capturing seed phrases as users type them. This technique undermines the perceived invulnerability of hardware wallets, exposing a critical attack surface that has been largely overlooked.

For enterprises and individual investors, the implications are clear: macOS security hygiene must evolve to address both software and hardware vectors. Organizations should enforce strict application whitelisting, limit Full Disk Access permissions, and educate users about the dangers of copying unknown Terminal commands. Crypto custodians need to consider additional layers of verification for wallet software, such as code‑signing checks and isolated execution environments. As threat actors continue to refine modular malware like notnullOSX, a proactive, defense‑in‑depth posture will be essential to safeguard digital wealth on Apple devices.