CRASHSTEALER is a new macOS infostealer identified by Jamf Threat Labs, first detected in May 2026 and observed in active deployment by July. The malware cleverly uses a signed application named Werkbit.app, which bypasses Apple's Gatekeeper security. Upon installation, it connects to a GitHub repository and executes a Base64-encoded shell script that downloads and runs the CrashStealer payload.
The infostealer targets various browsers and cryptocurrency wallets, collecting user credentials and data, which it encrypts using AES-256-GCM before transmitting. CrashStealer implements anti-analysis techniques and establishes persistence by installing a LaunchAgent. It showcases advanced evasion strategies, including using a valid Developer ID for its dropper application.