Skip to content

New Mac infostealer confirms stolen passwords before stealing data

A newly discovered macOS infostealer verifies Mac login passwords before stealing sensitive data, giving attackers immediate confirmation that compromised credentials will actually work.

PamStealer cybersecurity graphic showing Rust logo, macOS script icon, code window, and PAM authentication panel, with text describing a Rust-based macOS infostealer that validates credentials through PAMPamStealer

Researchers at Jamf Threat Labs have documented a new macOS malware campaign built around an infostealer called PamStealer. PamStealer disguises itself as the Maccy clipboard manager and uses AppleScript alongside a Rust payload to infect Macs.

Jamf found that PamStealer verifies login passwords through Apple’s Pluggable Authentication Modules before stealing additional data. Password verification sets PamStealer apart from most macOS infostealers, which typically capture whatever password a victim enters without confirming that it’s valid.

The campaign begins with a fake website that closely imitates the legitimate Maccy clipboard manager. Next, the fake website delivers a malicious AppleScript application disguised as Maccy.

Continue Reading on AppleInsider | Discuss on our Forums