Jamf Threat Labs identified a new macOS information stealer called PamStealer that masquerades as Maccy, a legitimate open-source clipboard manager. Attackers distribute the malware as a compiled AppleScript (.scpt) file, a format that evades traditional detection mechanisms.
PamStealer exploits macOS security features to harvest login credentials. The malware leverages PAM (Pluggable Authentication Modules) checks, a standard Unix authentication framework present on macOS systems, to extract passwords during the infection process. By mimicking trusted clipboard management software, the stealer gains user trust and lowers defensive barriers.
The attack vector targets macOS users through social engineering. Victims download what appears to be Maccy but instead receive the compiled AppleScript payload. Once executed, PamStealer initiates credential theft by querying system authentication mechanisms, capturing plaintext passwords or authentication tokens.
AppleScript compilation presents a particular problem for macOS security. Compiled scripts execute with minimal scrutiny compared to traditional binaries, and antivirus engines struggle to identify malicious payloads within .scpt files. This format allows PamStealer to operate under the radar of endpoint detection and response systems.
The discovery underscores a broader trend in macOS threats. Attackers increasingly target Apple systems through application impersonation rather than zero-day exploits. Legitimate software names, particularly utility applications with modest user bases like Maccy, serve as effective covers for malicious payloads.
Organizations and individual users face concrete risks. Stolen credentials grant attackers persistent access to systems, corporate networks, and cloud services linked to compromised accounts. The infection occurs before security software can intervene, making credential theft nearly inevitable once the malware executes.
Mitigation requires vigilance during downloads. Users should verify software sources through official repositories or
