← All articles

PamStealer Mac malware poses as a clipboard app and verifies passwords through PAM

Jamf Threat Labs found a new macOS infostealer, PamStealer, that impersonates Maccy, a popular open-source clipboard manager, through a fake website. Victims download what looks like a Maccy installer but is a malicious AppleScript that quietly fetches a Rust-based stealer. Its standout trick is how it grabs the login password: it shows a native-looking prompt saying "Maccy wants to make changes" and validates whatever the user types against macOS's own Pluggable Authentication Modules, so it only keeps a confirmed-correct password and avoids the noisy process calls other stealers make. The second stage hides as Finder, encrypts its traffic, and delays its Full Disk Access request to avoid suspicion.

Check
Make sure anyone using the Maccy clipboard manager downloaded it only from maccy.app or its official GitHub, and treat unexpected admin-password prompts and Full Disk Access requests during app installs with suspicion.
Affected
Mac users who install software from fake or unofficial sites; PamStealer poses as the Maccy clipboard app, confirms the login password through macOS PAM, then steals credentials, browser data, and wallet access.
Fix
Install Mac apps only from official sites or the App Store, verify download URLs carefully, deny unexpected password and Full Disk Access prompts, and keep macOS and endpoint tools updated.