Fake Mac Clipboard App Delivers New Password-Stealing Malware
Mac users searching for the open-source clipboard app Maccy are being lured to a fake site that delivers a malicious AppleScript installer, according to Jamf Threat Labs. The campaign installs a new Rust-based infostealer called PamStealer, which first checks the victim’s macOS login password through PAM and then downloads a second-stage payload using native macOS tools to avoid common security monitoring. The final malware targets Apple Silicon Macs, disguises itself as Finder or Software Update, and uses host fingerprinting to unlock an encrypted configuration. If successful, it can steal browser credentials, Keychain data, clipboard contents, and crypto wallet keys, while also trying to gain Full Disk Access through a delayed fake Finder prompt. Jamf says it has not seen active infections, but reported the findings to Apple. The campaign reflects a broader trend of malware spread through lookalike sites, ads, and trusted platforms.
