Jamf Threat Labs has published a report about PamStealer, a macOS infostealer.
It’s disguised as the legitimate Maccy clipboard manager that uses a two-stage attack chain to silently harvest data and clipboard contents while evading detection. Here’s the conclusion from Jamf Threat Labs: PamStealer combines a recently emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor lure build on tradecraft that is already gaining adoption across the macOS threat landscape, the malware distinguishes itself through a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally through PAM before harvesting them. That second stage puts considerable effort into staying hidden, masquerading as Finder, encrypting its command-and-control traffic, and holding back prompts like the Full Disk Access request for as long as forty minutes so its activity does not line up with launch. Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features.
Read the complete report here for details.
What should you do?
PamStealer depends on folks downloading software from unknown sources, then approving multiple prompts before the malware can complete its attack. You should just download Mac apps only from trusted developers and verify website addresses before installing software.




