Researchers at Jamf Threat Labs report a newly identified macOS information-stealing malware called PamStealer. The campaign distributes a compiled AppleScript file (.scpt) that impersonates the legitimate open-source clipboard manager Maccy, including use of fake Maccy-branded web content and lures that aim to convince users to install or grant access to the malicious file. PamStealer uses a multi-stage setup in which an AppleScript-delivered component brings in additional code written in Rust.

A key feature highlighted across reports is how the malware handles credentials. PamStealer validates macOS login passwords locally using Apple’s Pluggable Authentication Modules (PAM) before stealing further data. This password-check step is described as unusual compared with other macOS stealers, which often accept and collect passwords without confirming they work. The reports also describe a user-facing prompt intended to resemble a system authorization request, and behavior intended to stay concealed, including repeating prompts until the correct password is provided. After successful validation, PamStealer proceeds with data theft and may request permissions such as full disk access to the decoy app. Researchers also report the malware includes capabilities to access information related to Ethereum accounts.