PamStealer Targets Mac Login Passwords via Fake Maccy Sites and PAM Exploitation
A new macOS information stealer, PamStealer, has been discovered by Jamf Threat Labs, impersonating the Maccy clipboard manager and exploiting Pluggable Authentication Modules (PAM) to steal user credentials.

Cybersecurity researchers have identified a novel macOS information stealer, dubbed PamStealer, which employs a sophisticated multi-stage attack vector to compromise user credentials. Discovered by Jamf Threat Labs, this malware is distributed as a compiled AppleScript disguised as the legitimate Maccy clipboard manager, a popular open-source utility.
The initial infection vector involves luring unsuspecting users to fake websites that mimic the official Maccy download page. These fraudulent sites offer a malicious version of the application, which, upon installation, begins its credential-harvesting operation. The malware's name, PamStealer, directly references its core mechanism: the exploitation of macOS's Pluggable Authentication Modules (PAM).
PamStealer leverages PAM to intercept and steal user login passwords. PAM is a crucial security component in macOS and other Unix-like systems that allows for flexible authentication methods. By manipulating or exploiting vulnerabilities within the PAM framework, PamStealer can capture credentials entered by users during the login process or when prompted for administrative privileges, effectively bypassing standard security measures.
Once the credentials are stolen, PamStealer exfiltrates them to a remote command-and-control (C2) server operated by the attackers. This data can then be used for various malicious purposes, including unauthorized access to user accounts, financial theft, or further network intrusion. The use of a legitimate-looking application and a trusted system component like PAM makes this malware particularly insidious and difficult to detect.
Jamf Threat Labs has noted that the compiled AppleScript is designed to evade initial detection. While the exact scope of the campaign and the number of affected users are still under investigation, the presence of such a targeted and technically advanced information stealer on the macOS platform highlights the evolving threat landscape for Apple users. The attackers are actively seeking to exploit user trust and system functionalities.
While specific details on the full extent of PamStealer's capabilities and its distribution network are still emerging, its reliance on social engineering tactics combined with deep system-level exploitation underscores a growing trend in macOS malware. Users are strongly advised to download software only from official sources and to be wary of unsolicited prompts or suspicious website appearances.
Security researchers recommend that macOS users remain vigilant, ensure their systems are updated with the latest security patches, and consider employing robust endpoint security solutions. The discovery of PamStealer serves as a stark reminder that no operating system is entirely immune to sophisticated malware threats, and continuous monitoring and user education are paramount in mitigating these risks.