July 05, 2026 ChainGPT

Fake Maccy App Installs Rust “PamStealer” on Macs — Can Harvest Keychain & Crypto Keys

Fake Maccy App Installs Rust “PamStealer” on Macs — Can Harvest Keychain & Crypto Keys
Headline: Fake “Maccy” App Delivers New Rust-Based Infostealer That Can Grab Passwords and Crypto Keys Mac users searching for the open-source clipboard manager Maccy are being lured to a lookalike site that installs a new Rust-built infostealer called “PamStealer,” Jamf Threat Labs warns. If executed, the malware can harvest passwords, browser credentials, macOS Keychain entries—and critically for crypto users—private keys and clipboard contents. How the scam works - Victims download a disk image that contains an AppleScript file named Maccy.scpt. When opened, the script displays benign-looking instructions telling users to run it in Apple’s Script Editor, while the malicious code is hidden further down in the document. - Jamf named the threat “PamStealer” because one of its core behaviors is validating the victim’s login password via macOS Pluggable Authentication Modules (PAM) before harvesting it. - The dropper uses JavaScript for Automation (JXA) and native macOS APIs to fetch a second-stage payload—avoiding common shell utilities like curl or zsh so fewer observable processes are spawned for security tools. The second stage: stealthy, Rust-based, Apple Silicon-focused - The follow-up payload is a Rust binary compiled for Apple Silicon that masquerades as Finder or Software Update. - Instead of storing configuration in cleartext, the malware derives a decryption key from a host “fingerprint” (CPU architecture, locale, keyboard layout, time zone etc.) to unlock an encrypted, integrity-checked config containing the payload URL and install path—making analysis and reuse on other hosts harder. - Once installed, PamStealer can exfiltrate browser credentials and Keychain data, monitor clipboard contents (a major risk for users who copy private keys or seed phrases), establish persistence, and send stolen data to a remote command-and-control server over encrypted channels. If the binary determines it’s not on an intended target, it shuts down quietly. Escalation tactics and timing tricks - The malware tries to gain broader access by showing a fake Finder alert asking for Full Disk Access. That prompt may be delayed—appearing up to 40 minutes after infection—so victims are less likely to link it to the original download. If granted, the attacker could read protected data from Mail, Messages, Time Machine backups, and more. Campaign context and scope - Jamf says it has not observed signs of PamStealer actively spreading in the wild but notified Apple of the findings. The company also flagged broader social engineering patterns: attackers have bought ad placements (Google, and increasingly X) or used verified accounts to steer users to malicious downloads. - Jamf noted another recent ad-driven case where a sponsored ad on X led users to dynamicmacisland[.]com and to a Terminal installation command; that payload was a recent Atomic (MacSync) stealer variant. - The PamStealer discovery arrives amid multiple campaigns abusing trusted channels and developer platforms: researchers have flagged a fake OpenAI repo on Hugging Face distributing a Rust infostealer, a malicious Visual Studio Code extension that exposed thousands of repos, and the Shai-Hulud supply-chain campaign targeting AI development tools. Why crypto users should care - Clipboard monitoring and Keychain theft directly threaten users who copy private keys, seed phrases, or wallet passwords. Malware disguising itself as legitimate macOS software makes casual downloads especially risky. Practical takeaways - Only download apps from official project pages or verified stores. Avoid running scripts pasted into Script Editor or Terminal unless you can fully trust the source. Be skeptical of ads steering you to installer commands. Do not grant Full Disk Access to unknown apps. Jamf Threat Labs published the detailed report on Thursday and alerted Apple; Apple had not commented at the time of reporting. Jamf’s Director Jaron Bradley emphasized how well these social-engineering lures work: “With many stealers, we have seen attackers purchasing Google Ad space to lure users to the malicious app. We have recently observed malicious ads being hosted on X as well. These social engineering techniques have proven to be highly successful.” Read more AI-generated news on: undefined/news