PamStealer Infostealer Targets Maccy Users With Fake Maccy Files And PAM Password Validation
Image: Macworld

PamStealer Infostealer Targets Maccy Users With Fake Maccy Files And PAM Password Validation

02 July, 2026.Technology and Science.4 sources

Key Takeaways

  • PamStealer disguises as Maccy clipboard manager to harvest data.
  • Verifies Mac login passwords before exfiltrating sensitive data.
  • AppleScript-based delivery delivers the second-stage payload.

PamStealer targets Maccy

Jamf Threat Labs has documented a macOS infostealer called PamStealer that targets users of the third-party clipboard manager Maccy by distributing fake Maccy files through malicious websites that impersonate the real maccy.app site.

Jamf Threat Labs has published a report about PamStealer, a macOS infostealer

Apple World TodayApple World Today

Macworld reports that Jamf Threat Labs identified PamStealer as malware delivered via fake websites distributing malicious AppleScript files, with the fake files described as Maccy.scpt AppleScript files made to look like legitimate installer files and distributed on disk images.

Image from Apple World Today
Apple World TodayApple World Today

Ars Technica says the malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Modules interface built into macOS to validate the target’s login password before sending it to an attacker-controlled server.

AppleInsider adds that PamStealer disguises itself as the Maccy clipboard manager and uses AppleScript alongside a Rust payload to infect Macs, with Jamf finding that it verifies login passwords through Apple's Pluggable Authentication Modules before stealing additional data.

Quieter chain, credential checks

Ars Technica describes a “quieter execution chain” in which the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs.

The same Ars Technica account says PamStealer’s password capture workflow “validates credentials locally through PAM,” and then the Rust-based second stage masquerades as Finder, encrypts its command-and-control traffic, and holds back prompts like the Full Disk Access request for as long as forty minutes.

Image from AppleInsider
AppleInsiderAppleInsider

AppleInsider says PamStealer displays what appears to be a legitimate macOS authorization prompt asking the user to enter a password so Maccy can make changes, but instead of just recording what the victim types, it validates the password through Apple's Pluggable Authentication Modules before continuing.

Apple World Today likewise frames the attack as a two-stage chain that “silently harvest data and clipboard contents while evading detection,” with the malware’s second stage encrypting command-and-control traffic and delaying the Full Disk Access prompt.

What it steals and next steps

After validating credentials, AppleInsider says the second-stage Rust payload collects browser cookies, browsing history, saved credentials, SQLite databases, clipboard contents and cryptocurrency wallet data, and it encrypts stolen information before transmitting it to command-and-control infrastructure.

Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code

Ars TechnicaArs Technica

AppleInsider also says PamStealer creates login items through both modern and legacy macOS mechanisms so it relaunches automatically after a user signs in, while it impersonates Finder while attempting to convince victims to grant Full Disk Access.

Macworld advises that to avoid downloading the malicious files, Maccy customers should make sure they are visiting the maccy.app website, where a disclaimer states “maccy.app is the only official website.”

Ars Technica concludes that PamStealer depends on users downloading software from an untrusted source and approving multiple prompts before the malware can complete its attack, and it urges users to be skeptical of unexpected administrator password prompts and avoid unnecessary Full Disk Access requests.

More on Technology and Science