All incidents

PamStealer macOS malware steals credentials via fake Maccy app

malwareopenJul 2, 2026 — Jul 10, 2026
PamStealer macOS malware steals credentials via fake Maccy app

PAMSTEALER, a newly identified macOS infostealer, has been observed masquerading as the popular clipboard utility Maccy to harvest credentials from Apple Silicon Macs according to Jamf Threat Labs.

The malware arrives in a two‑stage chain, beginning with a malicious disk image that executes an AppleScript dropper which then downloads a Rust‑based payload as reported by securityonline.info.

The Rust component leverages the Pluggable Authentication Modules framework to verify the user’s login password before acting as a fake Finder process to collect passwords, browser data and clipboard contents, which are then exfiltrated over an encrypted channel to a command‑and‑control server per Ars Technica.

Activity has been tracked between early July 2026 and mid‑July 2026, with no specific threat actor attributed to the campaign so far, but the malware employs several evasion tricks such as delaying prompts and encrypting communications to stay under the radar.

The use of legitimate macOS mechanisms like PAM and AppleScript highlights a growing trend where attackers abuse trusted system interfaces to avoid detection, highlighting the need for deeper behavioural monitoring on endpoints.

Defenders should treat any unexpected password prompt as suspicious, avoid opening disk images from unverified sources, and ensure that endpoint protection solutions are configured to flag unusual AppleScript execution and Rust binary launches.

Intelligence briefing updated Jul 10, 2026

Root sourcewww.jamf.com
Timeline Coverage

Swipe to explore timeline