All incidents

CrashStealer macOS infostealer steals credentials and cryptocurrency wallets

malwareopenJul 14, 2026 — Jul 14, 2026
CrashStealer macOS infostealer steals credentials and cryptocurrency wallets

A new macOS infostealer dubbed CrashStealer has been observed stealing login credentials and cryptocurrency wallet data by masquerading as Apple’s crash‑reporting tool, according to analysis from Jamf Threat Labs. The malware was first identified in May 2026 and seen in active use by July, as reported by Infosecurity Magazine.

CrashStealer arrives inside a signed disk image that bypasses Gatekeeper, allowing the dropper application Werkbit.app to run without triggering a warning. Once executed, the dropper contacts a GitHub repository, pulls a Base64-encoded shell script and launches the payload which encrypts stolen data with AES-GCM before exfiltration.

The infostealer targets popular browsers and cryptocurrency extensions, harvesting saved passwords and private keys. To survive reboots it installs a LaunchAgent, employs anti-analysis tricks and uses a valid Developer ID to appear legitimate, details highlighted in the Jamf Threat Lab report.

Researchers note that CrashStealer has been in active deployment since May, with no linked CVE or identified threat actor group, a point echoed in the Security Affairs coverage. Its use of a legitimate Apple component and a signed installer shows how attackers are abusing trusted macOS mechanisms.

Organisations should ensure Gatekeeper remains enabled and block execution of unsigned disk images from unknown sources. Security teams ought to monitor LaunchAgent directories for unfamiliar plists and watch for outbound HTTPS connections to GitHub hosts that are not part of approved workflows, advice consistent with the Infosecurity Magazine piece.

Endpoint detection tools should be tuned to flag AES-GCM encryption routines used by unknown processes and to alert on sudden credential‑access attempts from browser storage, guidance that aligns with Jamf’s analysis. User training must stress the danger of opening unexpected DMG files, even when they appear to be signed, and encourage verification of developer IDs before installation.

Intelligence briefing updated Jul 14, 2026

Root sourcewww.jamf.com
Timeline Coverage

Swipe to explore timeline