Fake Maccy app installs PamStealer macOS password stealer
A counterfeit Maccy clipboard app installs PamStealer, a Rust macOS infostealer that validates passwords via PAM and steals browser, Keychain and crypto keys.
Jamf Threat Labs reported Thursday that a counterfeit version of the Maccy clipboard manager is delivering a Rust-based infostealer called PamStealer to macOS users.
The campaign uses a lookalike website to distribute a disk image containing an AppleScript file named Maccy.scpt. When opened, the file displays instructions asking users to run the script in Apple’s Script Editor while hiding malicious code further down the document.
The first-stage script leverages JavaScript for Automation and native macOS APIs to fetch a second-stage payload without calling common shell tools such as curl or zsh, reducing the number of observable processes.
Researchers named the malware PamStealer because one of its core behaviors is validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) system before harvesting credentials. The second-stage component is a Rust-compiled binary built for Apple Silicon that attempts to blend in by impersonating Finder or Software Update.
The dropper does not store its configuration in cleartext. Instead it derives a decryption key from a host fingerprint-factors such as CPU architecture, locale, keyboard layout and time zone-and uses that key to unlock an encrypted, integrity-checked configuration that contains the payload URL and installation path.
Once installed, PamStealer can harvest saved browser credentials and Keychain items, monitor clipboard contents, establish persistence and send collected data to a remote command-and-control server over encrypted channels. The malware contains logic to terminate quietly if it determines it is not running on an intended target.
In some infections the threat displays a fake Finder alert asking the user to grant Full Disk Access. Because that prompt can appear up to 40 minutes after the initial download, users may not connect it to the earlier action. If granted, Full Disk Access can allow the malware to read protected data such as Mail, Messages and Time Machine backups.
Jamf has not observed widespread active infections and notified Apple of its findings. The researchers also reported attackers using paid search and social platform advertisements to push malicious app downloads. One sponsored ad redirected users to a site that instructed them to run a Terminal command; analysis of that payload identified a recent Atomic (MacSync) stealer variant.
Jamf recommended downloading macOS apps only from official developer websites or the Mac App Store, avoiding execution of scripts from unfamiliar pages, and declining unexpected permission requests such as Full Disk Access. Users who suspect compromise should run an endpoint scan, reset passwords and revoke and reissue any exposed cryptographic keys.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.







