Updated
Updated · The Hacker News · Jul 14
CrashStealer Bypasses macOS Gatekeeper With Notarized Dropper, Targets 80 Crypto Wallets
Updated
Updated · The Hacker News · Jul 14

CrashStealer Bypasses macOS Gatekeeper With Notarized Dropper, Targets 80 Crypto Wallets

3 articles · Updated · The Hacker News · Jul 14

Summary

  • Jamf Threat Labs identified CrashStealer as a new macOS infostealer delivered through a signed, Apple-notarized app that passes Gatekeeper checks before fetching its main payload.
  • Native C++ malware then validates the victim's login password locally, unlocks the keychain, and steals data from Chromium-based browsers, about 80 crypto wallet extensions, 14 password managers, and files in Documents and Downloads.
  • Werkbit.app arrives via a disk image from werkbit.io, a domain registered in June 2026, and the download is hidden behind a meeting PIN rather than exposed to all visitors.
  • GitHub-hosted staging code pulls a shell script that downloads CrashReporter.dmg; the malware persists as a LaunchAgent, re-signs itself, encrypts stolen data with AES-GCM, and exfiltrates it over libcurl to 179.43.166.242.
  • Shared domains and backend infrastructure suggest CrashStealer is part of a broader multi-platform campaign, with its notarized delivery and anti-analysis design marking a step up from typical macOS stealers.

Insights

Is the CrashStealer malware just the tip of the iceberg in a massive multi-platform attack?
With notarized malware bypassing Gatekeeper, is the fortress of macOS security starting to crumble?

2026 macOS Security Breach: CrashStealer Malware Exploits Notarization to Steal Keychain and Crypto Data

Overview

CrashStealer is a newly discovered macOS infostealer malware that appeared in July 2026, posing a major threat by bypassing Apple’s Gatekeeper security. It achieves this by using a signed and notarized dropper application, allowing it to run on Macs without triggering any warnings. Once active, CrashStealer tricks users with a fake macOS password prompt. When users enter their administrator password, the malware uses it to unlock the Keychain, where sensitive data like Safari logins, Wi-Fi passwords, and cryptographic keys are stored. This stolen information is then packaged into a ZIP archive and sent to the attackers, making CrashStealer both stealthy and dangerous.

...