Updated
Updated · Ars Technica · Jul 2
Jamf Uncovers 2-Stage PamStealer Malware That Steals macOS Passwords via PAM
Updated
Updated · Ars Technica · Jul 2

Jamf Uncovers 2-Stage PamStealer Malware That Steals macOS Passwords via PAM

1 articles · Updated · Ars Technica · Jul 2

Summary

  • Jamf found a previously unseen macOS infostealer, PamStealer, that validates a victim’s login password through macOS PAM before sending the credential to an attacker-controlled server.
  • The 2-stage malware arrives in a disk image posing as the Maccy clipboard app; a booby-trapped AppleScript tells users to press Command-R, triggering code that bypasses com.apple.quarantine.
  • Instead of obvious shell commands, the script runs a self-contained JXA downloader using native Objective-C APIs, then deploys a Rust-written second stage designed for a quieter execution chain.
  • That payload hides inside fake app bundles such as Finder.app or Software Update.app, encrypts command-and-control traffic, and can delay a Full Disk Access prompt by up to 40 minutes.
  • Jamf said the campaign shows commodity macOS stealers are evolving toward stealthier, native techniques that reduce traditional detection opportunities while blending into standard macOS behavior.

Insights

How is advanced malware turning Apple's own trusted applications into security backdoors?
Why are state-sponsored hackers in 2026 suddenly so interested in your Mac's login password?