blindthoughts
breaking

PamStealer macOS Malware Abuses PAM Dialogs to Harvest Login Passwords

Jamf Threat Labs has disclosed a new macOS information stealer — dubbed PamStealer — that tricks users into downloading a malicious compiled AppleScript (.scpt) file disguised as Maccy, a widely-used open-source clipboard manager. The malware is distributed through fake Maccy websites that closely mimic the legitimate project's download pages. Coverage from both Ars Technica and The Hacker News underscores the campaign's operational maturity.

Once executed, PamStealer invokes macOS's Pluggable Authentication Modules (PAM) to surface a credential prompt that is visually indistinguishable from a legitimate OS dialog. Whatever password the user enters is exfiltrated along with other sensitive data from the machine. The choice of AppleScript packaging is deliberate tradecraft: .scpt binaries are scanned far less aggressively by AV engines than standard Mach-O executables, and PAM prompts carry enough native-OS legitimacy that most users comply without hesitation.

Why This Matters

Mac infostealers are no longer a footnote. Threat actors are now investing in macOS-native attack chains that are operationally on par with their Windows counterparts, and PamStealer's approach is among the more mature examples seen to date. A harvested local login password unlocks macOS Keychain entries, SSH private keys, API tokens in plaintext config files, and browser-saved secrets. For any technical organization where developers and administrators run Macs — which is most of them — a single successful hit can pivot directly into cloud infrastructure, internal systems, or privileged CI/CD pipelines.

The social-engineering vector is worth noting specifically: Maccy is a real, reputable tool that many developers install and recommend. Typosquatted or SEO-poisoned fake download sites targeting trusted developer utilities are an increasingly common delivery mechanism, and team members who would scrutinize an unexpected email attachment may not apply the same skepticism to a download page that looks right.

What to Do

  1. Lock down your Maccy source. The legitimate app is distributed only through its GitHub releases page and the Mac App Store. Communicate this to your team today and flag any other download source as untrusted.
  1. Hunt for unexpected .scpt files. Run find ~/Downloads -name "*.scpt" -mtime -30 on any team Mac. An AppleScript binary that arrived from a browser is unusual and warrants immediate inspection.
  1. Treat unsolicited PAM prompts as hostile. A system password dialog appearing outside of a sudo command, System Settings change, or software update is a red flag. The correct response is to dismiss — not comply — and then investigate the process that triggered it.
  1. Verify EDR coverage for AppleScript execution. Check that your endpoint tooling (Jamf Protect, CrowdStrike Falcon for Mac, or equivalent) has behavioral rules covering unsigned or ad-hoc-signed processes spawning AppleScript runtimes. Jamf Threat Labs' disclosure should produce updated signatures quickly.
  1. Rotate if exposure is suspected. If anyone recently ran an unexpected .scpt file and entered their login password, treat that credential as compromised. Rotate the macOS account password, audit Keychain contents, review SSH authorized_keys entries, and check OAuth and API token activity logs for anomalies.
Share:𝕏inr/HN🦋@
Was this useful?