Jamf Threat Labs identified CrashStealer as a new macOS infostealer delivered through a signed, Apple-notarized app that passes Gatekeeper checks before fetching its main payload.
Native C++ malware then validates the victim's login password locally, unlocks the keychain, and steals data from Chromium-based browsers, about 80 crypto wallet extensions, 14 password managers, and files in Documents and Downloads.
Werkbit.app arrives via a disk image from werkbit.io, a domain registered in June 2026, and the download is hidden behind a meeting PIN rather than exposed to all visitors.
GitHub-hosted staging code pulls a shell script that downloads CrashReporter.dmg; the malware persists as a LaunchAgent, re-signs itself, encrypts stolen data with AES-GCM, and exfiltrates it over libcurl to 179.43.166.242.
Shared domains and backend infrastructure suggest CrashStealer is part of a broader multi-platform campaign, with its notarized delivery and anti-analysis design marking a step up from typical macOS stealers.
Is the CrashStealer malware just the tip of the iceberg in a massive multi-platform attack?
With notarized malware bypassing Gatekeeper, is the fortress of macOS security starting to crumble?
2026 macOS Security Breach: CrashStealer Malware Exploits Notarization to Steal Keychain and Crypto Data
Overview
CrashStealer is a newly discovered macOS infostealer malware that appeared in July 2026, posing a major threat by bypassing Apple’s Gatekeeper security. It achieves this by using a signed and notarized dropper application, allowing it to run on Macs without triggering any warnings. Once active, CrashStealer tricks users with a fake macOS password prompt. When users enter their administrator password, the malware uses it to unlock the Keychain, where sensitive data like Safari logins, Wi-Fi passwords, and cryptographic keys are stored. This stolen information is then packaged into a ZIP archive and sent to the attackers, making CrashStealer both stealthy and dangerous.