CrashStealer: the new Mac malware that slips past Apple's own safety checks
Researchers at Jamf Threat Labs say the C++-based stealer used an Apple-notarised installer to bypass Gatekeeper and grab passwords, browser data and crypto wallets from macOS users.

Key points
- Jamf Threat Labs has identified a new macOS information stealer called CrashStealer, written in native C++ rather than the usual AppleScript or Objective-C.
- The malware arrived inside an installer that had been signed and notarised by Apple, meaning it passed the built-in Gatekeeper safety check that normally warns users about untrusted apps.
- CrashStealer checks the victim's login password on the machine itself before sending stolen data out, a trick designed to avoid noisy network traffic that antivirus tools might spot.
- Once running, it targets saved browser passwords, cookies, Keychain data and cryptocurrency wallets, the same shopping list used by families of stealers like Atomic and Poseidon.
- Apple can revoke the developer certificate behind the notarised installer, but users who already ran it are not automatically cleaned up.
A new piece of Mac malware is doing something that should not be easy: walking straight past Apple's front-door security check.
Researchers at Jamf Threat Labs have named it CrashStealer. It is an information stealer, which is malicious software designed to sit quietly on a computer and quietly copy out anything valuable it finds, from saved website passwords to cryptocurrency wallet files.
What makes this one stand out is how it is built, and how it got in.
How did the malware get past Apple's checks?
It used an installer that Apple itself had approved. Every Mac runs a security feature called Gatekeeper, which checks whether an app has been "notarised" by Apple, a process where Apple scans the software and issues a digital stamp of approval. Apps without that stamp trigger a warning. Apps with it usually open without a fuss.
CrashStealer's dropper, the small program that plants the real malware, carried a valid Apple notarisation. So Gatekeeper waved it through. The user saw no scary pop-up telling them the file came from an unidentified developer.
This is not a flaw in Gatekeeper as such. It is a reminder that notarisation is an automated malware scan, not a full audit. Attackers who register a developer account and submit a clean-looking installer can, and clearly do, get past it.
What is different about how it is built?
Most Mac stealers over the last two years have been written in AppleScript or wrapped in Objective-C. Those are easier to write but also easier for security tools to spot. CrashStealer is written in native C++, according to Jamf, which the first report by The Hacker News noted makes the code harder to analyse and easier to disguise.
It also does something clever with the victim's password. Before sending anything to its operators, it checks the login password locally on the Mac. That means it does not have to call home repeatedly or brute-force credentials over the network, which are the sorts of behaviours that antivirus products are trained to flag.
Once it is happy, it goes hunting. Jamf's analysis points to the usual haul: saved browser credentials and cookies, data from the macOS Keychain (Apple's built-in password vault), and files belonging to popular cryptocurrency wallets.
Should Mac users be worried?
Mildly, and specifically. Home users who only install software from the Mac App Store or from well-known vendors' own sites are at low risk. The people getting hit by this class of malware tend to be users chasing cracked apps, pirated games, or "free" versions of paid tools posted on random forums and Telegram channels. That is the delivery route stealers like Atomic and Poseidon have used all year.
If you think you may have installed something dodgy in recent weeks, a few practical steps:
- Change the passwords for any accounts saved in your browser or Keychain, starting with email, banking and any crypto exchanges.
- Turn on two-factor authentication everywhere it is offered, so a stolen password alone is not enough.
- Move any cryptocurrency out of software wallets on that Mac and into a fresh wallet on a clean device.
- Run a reputable Mac security scanner and, if in doubt, back up your documents and reinstall macOS.
Apple can revoke the developer certificate that signed the dropper, and usually does once researchers report it. That stops new infections. It does not undo old ones.



