Jamf Threat Labs disclosed a new macOS stealer on July 3. It’s called PamStealer, and it does one thing most Mac malware doesn’t: it confirms your login password is real before stealing anything.
The trick
Most stealers just log whatever you type. PamStealer verifies it first, through Apple’s Pluggable Authentication Modules (PAM). Enter the wrong password and it keeps asking until you get it right, so the attacker walks away with a working one.
The verification is also how it hides. Other malware checks passwords by calling tools like dscl or security, which surface in system activity and are exactly what security software watches. PamStealer calls PAM directly and spawns nothing. What makes this hard to guard against is that PAM is a core part of macOS: sudo, the screen saver, and the password prompts in System Settings all rely on it. The malware is abusing a legitimate interface, which is why the real defense is careful habits rather than any one update.
How it gets in
It starts with maccyapp[.]com, a fake site impersonating the real clipboard app Maccy (maccy[.]app). The download is an AppleScript dressed up as the app. Open it and you get fake install steps telling you to press ⌘+R; the real payload sits further down, out of view.
From there it fingerprints the Mac, continues only on Apple silicon, and drops a second stage written in Rust to dodge tools built for Objective-C and Swift. Once your password checks out, it grabs browser cookies, history, saved logins, clipboard contents, and crypto wallets, then encrypts the haul before sending it off. It sets itself to relaunch at login, poses as Finder to fish for Full Disk Access, and signs off with a fake “Maccy is damaged” alert, a decoy, since it’s already done.

What to do
No update fixes this. Caution does.
- Download apps only from sources you trust.
- Treat any unexpected admin password prompt as a red flag.
- Grant Full Disk Access only to apps you know.
If you typed your password into a fake dialog, change it, sign out of your browser sessions, and check your wallets. Maccy’s site now flags the impostor and confirms maccy.app is its only address.
