PamStealer Mac malware poses as a clipboard app and verifies passwords through PAM
Jamf Threat Labs found a new macOS infostealer, PamStealer, that impersonates Maccy, a popular open-source clipboard manager, through a fake website. Victims download what looks like a Maccy installer but is a malicious AppleScript that quietly fetches a Rust-based stealer. Its standout trick is how it grabs the login password: it shows a native-looking prompt saying "Maccy wants to make changes" and validates whatever the user types against macOS's own Pluggable Authentication Modules, so it only keeps a confirmed-correct password and avoids the noisy process calls other stealers make. The second stage hides as Finder, encrypts its traffic, and delays its Full Disk Access request to avoid suspicion.
- Check
- Make sure anyone using the Maccy clipboard manager downloaded it only from maccy.app or its official GitHub, and treat unexpected admin-password prompts and Full Disk Access requests during app installs with suspicion.
- Affected
- Mac users who install software from fake or unofficial sites; PamStealer poses as the Maccy clipboard app, confirms the login password through macOS PAM, then steals credentials, browser data, and wallet access.
- Fix
- Install Mac apps only from official sites or the App Store, verify download URLs carefully, deny unexpected password and Full Disk Access prompts, and keep macOS and endpoint tools updated.