Mon 06 Jul 2026 / 15:24 ET
Kernel
Internet 3 min read

PamStealer targets macOS passwords with a quieter fake Maccy installer

Jamf says the new macOS infostealer uses AppleScript, JXA, Rust and PAM to validate and steal login passwords while avoiding noisy process chains.

Riley Okafor

By Riley Okafor / Senior AI Reporter

PamStealer targets macOS passwords with a quieter fake Maccy installer
img: Ars Technica

Security researchers at Jamf have documented a new macOS credential stealer, called PamStealer, that disguises itself as the Maccy clipboard manager and uses ordinary macOS plumbing in ways that make it harder to spot.

The malware matters because its password theft routine does not lean on the usual noisy helper commands defenders often monitor. Jamf says the second-stage payload is written in Rust and uses macOS’s Pluggable Authentication Modules interface, or PAM, to check whether a victim entered the correct login password before sending it to infrastructure controlled by the attacker.

A fake installer with a Script Editor trick

Jamf says the infection starts with a disk image posing as Maccy, a legitimate clipboard manager for Macs. The first stage is compiled as AppleScript, a common enough choice in Mac malware. The less routine part is how the attacker uses it.

After the user double-clicks the script, macOS opens it in Script Editor. The malicious code is buried inside the file, according to Jamf. The lure then tells the user to press Command-R, which runs the script from inside Script Editor rather than launching a more obvious executable directly.

That detail is not decorative. Jamf says the approach helps the malware avoid com.apple.quarantine, the macOS attribute that can trigger warnings and limits for files downloaded from the internet. In other words, the attacker is not breaking some exotic kernel lock. They are persuading the user to make Apple’s own tools run the payload for them, which is depressingly efficient.

Native APIs instead of obvious shell commands

The AppleScript stage does not fetch the next payload with common shell tools such as curl or zsh, Jamf says. It runs a self-contained JavaScript for Automation downloader that uses native Objective-C APIs to retrieve and prepare the second stage.

Jamf described that combination as quieter than the execution chains it typically sees in commodity macOS stealers. The point is process visibility: fewer obvious child processes means fewer simple detection hooks for defenders.

The first stage places its payload inside an application bundle made to resemble Apple components. Jamf observed sample-to-sample changes in the impersonated component names, including Finder.app under com.apple.finder.core or com.apple.finder.monitor, and Software Update.app under com.apple.security.daemon. The fake components run hidden and use Apple’s real Finder icon, according to the researchers.

The second stage is a compact Mach-O binary built for Macs with Apple silicon. Jamf says Rust is still less common in macOS stealers than Swift, Go or Objective-C. The payload also uses a bundled SQLite component’s read interface so it can inspect database files directly.

Password capture through PAM

PamStealer presents a native-looking password dialog that imitates a system authorization request. The prompt text says: “Maccy wants to make changes. Enter your password to allow this.”

When the user enters a password, Jamf says the malware validates it locally through PAM. It does not call out to dscl, security, osascript or another spawned process for verification. If the password is wrong, the prompt returns until the user enters the correct one. Once the malware has a valid password, it shows a message claiming the file is damaged and cannot be installed, a decoy meant to make the failed installation look mundane.

Jamf also found code aimed at increasing what the stealer can collect, including a request for full disk access to the fake Maccy app and routines intended to reach Ethereum accounts. The malware can delay permission prompts, including full disk access requests, for as long as 40 minutes so those prompts do not appear to line up neatly with the first launch, according to Jamf.

The confirmed lesson is narrow but useful: PamStealer is not magic. It uses familiar macOS features, a plausible app disguise and a less chatty validation path to reduce the obvious signals security tools and users might notice.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗