Thursday, July 2, 2026
News

PamStealer is a Rust-based macOS infostealer that validates credentials through PAM

Jamf Threat Labs has published a report about PamStealer, a macOS infostealer.

Jamf Threat Labs has published a report about PamStealer, a macOS infostealer.

It’s disguised as the legitimate Maccy clipboard manager that uses a two-stage attack chain to silently harvest data and clipboard contents while evading detection. Here’s the conclusion from Jamf Threat Labs: PamStealer combines a recently emerging delivery surface with a less familiar payload. While the clickable .scpt and Script Editor lure build on tradecraft that is already gaining adoption across the macOS threat landscape, the malware distinguishes itself through a self-contained JXA dropper, a Rust-based second stage, and a password capture workflow that validates credentials locally through PAM before harvesting them. That second stage puts considerable effort into staying hidden, masquerading as Finder, encrypting its command-and-control traffic, and holding back prompts like the Full Disk Access request for as long as forty minutes so its activity does not line up with launch. Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features.

Read the complete report here for details.

What should you do?

PamStealer depends on folks downloading software from unknown sources, then approving multiple prompts before the malware can complete its attack. You should just download Mac apps only from trusted developers and verify website addresses before installing software.

Dennis Sellers
the authorDennis Sellers
Dennis Sellers is the editor/publisher of Apple World Today. He’s been an “Apple journalist” since 1995 (starting with the first big Apple news site, MacCentral). He loves to read, run, play sports, and watch movies.

Leave a Reply