

Malware that targets Mac users has historically been a minority concern in enterprise security. The assumption, persistent and largely comfortable, has been that macOS's architecture makes it inherently harder to compromise than Windows. That assumption has been eroding for years, and PamStealer, a newly documented information stealer discovered by Jamf Threat Labs, is one more piece of evidence that the erosion is accelerating.
PamStealer does not arrive through a browser exploit or a compromised enterprise application. It arrives dressed as a clipboard manager, impersonating one of the most innocuous categories of productivity software a developer or power user might install. The social engineering layer is light but effective, and the technical layer beneath it is more sophisticated than the distribution mechanism suggests.
PamStealer was identified and named by Jamf Threat Labs, the threat research division of Jamf, a company that specialises in Apple device management for enterprise environments. The name reflects the malware's primary technical mechanism: it abuses PAM, the Pluggable Authentication Modules framework built into macOS, to extract login passwords from the operating system's authentication subsystem.
The discovery followed analysis of a file distributed through counterfeit websites impersonating Maccy, a legitimate open-source clipboard manager popular among macOS power users. Maccy is a well-regarded utility that stores a history of clipboard contents, allowing users to access previously copied text and images without repeatedly copying them. Its popularity in developer communities makes it a credible impersonation target: the category of user most likely to install a clipboard manager is also the category most likely to have access to sensitive enterprise systems, development environments, and code repositories.
PamStealer delivers its payload in two stages. The first is a compiled AppleScript (.scpt) file packaged inside a disk image, which executes a JavaScript for Automation (JXA) downloader. This JXA downloader fetches and stages the second stage: a Rust-based infostealer that performs the credential theft, browser data collection, and exfiltration. Compiled AppleScript files can be run directly on macOS without additional dependencies, and the specific delivery method exploits a notable gap in Apple's Gatekeeper controls: the malicious script executes even when the file still carries the com.apple.quarantine attribute, which normally flags unverified downloads. The script instructs users to open it via Script Editor and press Command+R, a step that triggers execution despite the quarantine flag.
The infrastructure supporting PamStealer's distribution relies on websites that convincingly mimic the appearance of the legitimate Maccy project page. Users searching for Maccy through search engines, or clicking links shared in developer communities, may land on these counterfeit pages and download what appears to be the genuine application. This type of typosquatting and lookalike site infrastructure has become a standard component of infostealer distribution campaigns in 2026, applied across multiple platforms and targeting multiple software categories.
What distinguishes the PamStealer distribution from simpler malware delivery approaches is the use of AppleScript as the payload format. A compiled .scpt file does not look obviously malicious to a user expecting a macOS application bundle. The expectation for legitimate macOS software is a .dmg or .pkg installer, or an application directory. A compiled script file falls outside the usual mental model of what an attacker would deliver, which may reduce the cognitive alarm response that a user might otherwise have when opening a downloaded file.
Once the compiled AppleScript is executed, it performs a series of operations that are individually consistent with system automation but collectively constitute an infostealing routine. The script queries system information, locates credential storage locations, and initiates the PAM-based password extraction that gives the malware its name, before transmitting the collected data to attacker-controlled infrastructure.
PAM, or Pluggable Authentication Modules, is a framework present in Linux and macOS systems that provides a standardised interface for authentication operations. On macOS, applications that need to perform privileged operations can invoke PAM to request the user's login password through a system prompt. This mechanism is used legitimately by a wide range of macOS applications and system utilities: package managers, security tools, and administrative applications all invoke PAM when they require elevated permissions.
The mechanism PamStealer uses for credential capture is precise: it invokes a real PAM authentication call to validate the victim's login password. The user sees a genuine macOS system prompt, enters their password, and the authentication succeeds normally. What they do not know is that PamStealer intercepts the credential at that moment, using the real PAM validation to confirm the password is correct before capturing it. Unlike infostealers that rely on counterfeit dialogue boxes, PamStealer triggers an authentic system-level authentication event, making the interception indistinguishable from a legitimate privilege request.
This technique is particularly effective because it does not require the attacker to crack a stored password hash or exploit a vulnerability in the keychain. It captures the plaintext credential at the moment the user types it, bypassing the cryptographic protections that protect stored password data. The user, having seen what appeared to be a routine system prompt and entered their password to complete what they thought was an installation step, has no indication that their credential has been captured.
The macOS login password is a high-value target because it is the master key to the user's keychain, the encrypted credential storage system built into macOS that holds passwords for applications, websites, and system services. An attacker who has obtained the login password and access to the keychain can extract credentials for every service the user has saved there, potentially including corporate VPNs, cloud infrastructure consoles, code repositories, and enterprise single sign-on portals.
Beyond the PAM-based password capture, PamStealer follows the standard infostealer playbook for macOS targets. Browser credential databases are a primary target: the major browsers, Chrome, Firefox, Safari, and Brave, all store saved passwords and session cookies in locations on the local filesystem that are accessible to processes running with user-level permissions. The credential databases are often encrypted, but the encryption keys are derived from the macOS login password, which PamStealer has already captured.
Browser session cookies represent a second category of high-value data. A session cookie for an authenticated web application can allow an attacker to assume the user's identity in that application without knowing the password, and often without triggering multi-factor authentication, because the session was originally established through a legitimate login that passed the MFA check. This is the mechanism behind session hijacking attacks, which have been used extensively to bypass MFA in attacks on cloud platforms and enterprise SaaS applications.
Cryptocurrency wallet data is a third target category. macOS users in developer and security research communities frequently maintain cryptocurrency wallets, both for personal investment and for work-related purposes such as purchasing access to dark web intelligence services or paying for research tools. Wallet files stored on the local filesystem, including the private keys necessary to transfer funds, are accessible to a process running with user-level permissions.
The combination of login password, browser credentials, session cookies, and wallet data creates a complete exfiltration package that an attacker can monetise across multiple channels: selling the credential set on infostealer log marketplaces, using the session cookies for immediate account takeover, or deploying the corporate credentials for follow-on intrusions into enterprise environments.
The enterprise macOS fleet has grown substantially over the past decade. The adoption of Apple hardware in technology companies, financial services firms, and creative industries has created a population of corporate macOS users that was previously small enough to be largely ignored by financially motivated threat actors. That population is now large enough to justify the development of macOS-specific malware tooling, and the ecosystem of macOS infostealers has expanded accordingly.
Several characteristics of the typical macOS enterprise user make this population disproportionately valuable relative to its size. Developer workstations running macOS often have access to source code repositories, cloud infrastructure, and deployment pipelines. Security researchers running macOS have access to threat intelligence platforms, malware analysis environments, and vulnerability research tools. Executives using macOS for productivity have access to communications and financial systems. The credential value of a single compromised macOS system in the right hands is often higher than multiple Windows endpoints in a general corporate environment.
The security tooling gap has also contributed to the platform's attractiveness as a target. Endpoint detection and response coverage on macOS is less mature than on Windows, and many organisations that have invested heavily in Windows EDR deployment have extended that coverage to their macOS fleet inconsistently or not at all. A macOS system without EDR coverage that runs a malicious AppleScript file may generate no alert, leaving the compromise undetected until the attacker has used the stolen credentials to access something more visible.
The indicators of compromise produced by PamStealer infections, including network connections to command and control infrastructure and filesystem artefacts left by the AppleScript execution, can be detected by properly configured security tooling. But detection requires that tooling to be present and monitoring macOS endpoints with the same rigour applied to Windows systems.
The most immediate defensive measure for organisations that manage macOS fleets is the deployment of a mobile device management solution with application allow-listing or at minimum application source restriction. macOS Gatekeeper, the operating system's built-in application verification mechanism, can be configured to refuse the execution of files that do not carry a valid Apple developer signature. A compiled AppleScript file from a counterfeit Maccy site is unlikely to carry a valid signature from the Maccy project's registered developer identity, and a properly configured Gatekeeper policy would block its execution.
Browser extension policy is a secondary control. Many infostealer campaigns have moved to browser extension distribution as an alternative to standalone executables, and macOS environments that permit the installation of arbitrary browser extensions from outside the Chrome Web Store or Firefox Add-ons repository are exposed to a category of credential theft that does not rely on AppleScript or any other system-level execution mechanism. A managed browser policy that restricts extensions to approved sources removes this attack surface.
User awareness training for macOS users should specifically address the risk of software downloaded from sites that impersonate legitimate projects. The visual difference between a genuine project page and a carefully constructed lookalike is often minimal, particularly when the counterfeit site uses legitimate SSL certificates and mirrors the genuine project's branding accurately. Training that teaches users to verify software downloads against the official repository link rather than search engine results, and to be suspicious of any macOS authentication prompt that appears during or immediately after a software installation, addresses the specific social engineering layer that PamStealer exploits.
At the network level, monitoring for connections to known command and control infrastructure from macOS endpoints provides detection coverage for infections that have already occurred. Threat intelligence feeds that include infostealer C2 indicators can be used to generate alerts when a macOS endpoint initiates a connection to infrastructure associated with PamStealer or related campaigns. This layer of detection operates independently of endpoint-level controls and can identify compromises that bypassed application controls through techniques not yet captured in Gatekeeper signatures.
Credential rotation is the remediation action for any macOS endpoint suspected of PamStealer infection. Because the malware captures the macOS login password in plaintext, every credential derived from that password, including all keychain entries, should be treated as compromised and rotated. This includes corporate VPN credentials, SSO passwords, cloud infrastructure API keys stored in the keychain, and any other credentials that the affected user had saved on the device.
PamStealer is not an isolated development. It is one instance of a broader ecosystem of commercially developed and independently created macOS infostealers that has expanded significantly over the past two years. Atomic Stealer, Cuckoo, and Banshee are among the macOS-targeting malware families that have been documented in this period, each using different distribution mechanisms and exfiltration approaches but sharing the common objective of harvesting credentials from Apple hardware.
The commercial model underlying many of these tools makes them accessible to a wide range of threat actors. Infostealer malware is frequently sold as a service on criminal forums, with subscription pricing that includes access to a control panel for managing infections and a builder that generates customised payloads. A threat actor with no malware development capability can deploy a sophisticated infostealer campaign against macOS targets by purchasing access to one of these services, lowering the barrier to entry for macOS-targeted credential theft.
The credentials collected by these campaigns flow into infostealer log marketplaces where they are sold to buyers looking for specific access types. An organisation in the technology sector whose developers use macOS may find its source code repository credentials, cloud platform API keys, and internal tool access tokens appearing on these markets within hours of a successful infection. The hidden danger of leaked credentials is that the exposure window, from the moment of theft to the moment of use by a buyer, can be extremely short, leaving little time for detection and response if no proactive monitoring is in place.
For security teams managing mixed-OS environments, the PamStealer discovery is a prompt to audit the security coverage gap between Windows and macOS endpoints. The question is not whether macOS is inherently less secure than Windows. The question is whether the security controls, monitoring, and detection capabilities deployed on macOS endpoints in your organisation are equivalent to those on Windows systems, and if they are not, what adversaries are currently doing with that gap.
To understand why PAM abuse on macOS is a significant threat, it helps to understand how PAM works at a technical level and why legitimate applications invoke it. PAM was originally developed for Linux systems as a way to modularise authentication policies, allowing system administrators to configure different authentication requirements for different services without modifying the applications themselves. Apple adopted PAM in macOS as part of the UNIX foundation of the operating system, and it has been present in every macOS release since Mac OS X.
When a macOS application calls PAM to authenticate a user, the standard experience is a system dialogue box with the application's name, the macOS lock icon, and a password field. The security model that users have been conditioned to apply to this dialogue is that seeing it confirms the request is legitimate and system-level. This is the assumption that PamStealer subverts. A malicious application that presents a PAM authentication dialogue is indistinguishable from a legitimate one at the visual level, because both produce the same system-generated interface.
The technical path by which PamStealer captures the entered password involves intercepting the result of the PAM call before it is processed exclusively by the legitimate authentication subsystem. The captured plaintext password is then written to a staging location on the filesystem or held in memory pending exfiltration, while the legitimate PAM authentication continues to completion so that the user sees the expected outcome and does not suspect the interception. The user's experience is a momentary password prompt that appears to have completed successfully. The attacker's experience is a plaintext credential that opens the user's keychain.
The keychain access that follows the credential capture is not an additional exploitation step requiring a separate vulnerability. macOS's keychain architecture is designed so that the logged-in user's keychain is unlocked by the login password. An application running with the user's privileges and in possession of the login password can call the keychain API to read entries from the user's keychain without triggering additional authentication prompts. PamStealer uses this design to enumerate and extract keychain entries after obtaining the login password, producing a credential harvest that extends far beyond the initial password capture.
The scope of what a keychain can contain in an enterprise macOS environment should not be underestimated. Safari stores website passwords and passkeys in the keychain. Many enterprise applications, including VPN clients, cloud storage tools, and development environment credential managers, store their authentication tokens and API keys in the keychain. Corporate single sign-on credentials may be cached there. A complete keychain exfiltration from a senior engineer's macOS workstation can represent the keys to dozens of enterprise systems.
PamStealer's PAM abuse mechanism distinguishes it from the majority of macOS infostealers documented in recent years, which have typically focused on browser database extraction and keychain enumeration through approaches that do not require the user's plaintext password. Atomic Stealer and its variants, for example, use a different approach to prompt collection: they present custom dialogue boxes that are built by the malware itself and mimic the appearance of macOS system prompts, but are not genuine PAM invocations. Jamf Threat Labs' identification of PamStealer's use of actual PAM invocations represents a more technically integrated approach that is harder for endpoint security tools to distinguish from legitimate PAM usage.
The AppleScript delivery format also sets PamStealer apart from malware that uses more standard executable formats such as Mach-O binaries or application bundles. Security tools that scan for Mach-O executables with known malicious signatures or suspicious code-signing characteristics may not apply the same scrutiny to compiled AppleScript files, which are a legitimate format used by macOS automation tools and have a smaller signature surface for detection. This delivery choice appears deliberate: using a format that is native to macOS and less commonly associated with malware reduces the probability of pre-execution detection.
PamStealer targets Apple Silicon Macs specifically. The AppleScript dropper fingerprints the host, collecting details including CPU architecture, locale, keyboard layout, and time zone, and uses them to derive a decryption key for an encrypted configuration file. On Intel-based Macs, this key derivation fails and the dropper terminates. The malware also avoids execution in sandboxed or analysis environments, and geofences against Eastern European countries including Russia, Belarus, Kazakhstan, and Armenia, a common pattern in financially motivated malware designed to avoid drawing attention from local law enforcement. The distribution through fake Maccy sites is consistent with a pattern seen across multiple infostealer campaigns targeting macOS users in 2025 and 2026. Fake sites impersonating Arc browser, CleanMyMac, and other popular macOS utilities have been used to distribute various macOS malware families. The common thread is the targeting of software that macOS power users in developer and security communities are likely to seek out independently, bypassing the App Store review process that provides some level of malware filtering for software distributed through Apple's official channel.
Defendis monitors dark web forums, criminal marketplaces, and threat actor channels for early signals specific to your organisation: credential exposure, active campaigns targeting your sector, and indicators tied to your infrastructure. Book a demo to see what we see before it reaches you.