📣 Send us your press release
Site updates every 15 minutes
Technology

Newly Discovered PamStealer Targets macOS Users

Researchers have identified a new type of macOS malware, PamStealer, that steals user login credentials by exploiting the operating system's authentication mechanisms.

2 July 2026
Newly Discovered PamStealer Targets macOS Users

Researchers have identified a new piece of macOS malware, dubbed PamStealer, that combines several sophisticated techniques to infect Macs and steal login credentials for an attacker-controlled server. A key feature of the malware is its use of Apple's built-in Pluggable Authentication Modules (PAM) interface to validate passwords before exfiltrating them.

PamStealer's infection process is delivered in two stages. The initial stage is distributed within a disk image masquerading as Maccy, a popular clipboard manager for Macs. The AppleScript code within this disk image is designed to deliver the second, actual credential-stealing stage of the malware to the target.

While the use of disk images and AppleScript is common in Mac malware, PamStealer's combination of these methods in a way that enhances its stealth is unusual. When the AppleScript file is double-clicked, it opens in macOS's Script Editor, with the malicious functionality buried deep within the file, making it harder to detect.

The PamStealer infostealer, written in Rust, leverages the PAM interface integrated into macOS. This allows the malware to verify the target user's entered password before sending it to attacker-controlled servers. The use of this advanced technique makes PamStealer a notable threat to Mac users.

Original source: arstechnica.com