PamStealer: Fake Maccy App Hides Mac Password-Grabbing Script
Researchers say the AppleScript malware poses as a popular clipboard tool, tricks users into typing their Mac password, then quietly ships browser data and crypto wallets to its operators.

Key points
- Jamf Threat Labs has identified a new macOS information stealer, named PamStealer, that pretends to be the open-source clipboard app Maccy.
- The malware ships as a compiled AppleScript file and abuses macOS Pluggable Authentication Modules to check that the password a victim types is genuine.
- PamStealer hunts for browser data, saved credentials and cryptocurrency wallets, then sends them to servers controlled by the attackers.
- Users are lured through lookalike websites impersonating the legitimate Maccy project.
- Mac users who installed Maccy from anywhere other than the official source should treat their login password and browser-stored credentials as exposed.
A new piece of Mac malware is doing the rounds, and it is unusually polite about asking for your password.
Researchers at Jamf Threat Labs, first written up by The Hacker News, have named it PamStealer. It is an information stealer — malicious software designed to quietly harvest data from an infected computer and send it back to the criminals running the campaign.
The bait is Maccy, a well-known free clipboard manager for macOS that keeps a history of things you copy and paste. The real Maccy is open-source and harmless. The fake version is not.
How does the attack actually work?
Victims land on a lookalike website that mimics the genuine Maccy project and download what looks like the app. What they actually get is a compiled AppleScript file, ending in .scpt — a small script that macOS can run directly, rather than a normal application bundle.
When the script runs, it puts up a password prompt that looks like the standard macOS one. The user, expecting a routine permission request during install, types their login password.
Here is the clever part. Instead of just grabbing whatever the user types, PamStealer checks that the password is real before sending it anywhere. It does this by quietly calling on PAM, short for Pluggable Authentication Modules — the built-in part of macOS that decides whether a password is correct when you log in or run an admin command. If PAM says the password is valid, the malware keeps it. If not, it asks again.
That detail matters. It means the criminals never end up with a wrong password, and the victim never gets suspicious from repeated failed prompts.
What does it steal?
Once PamStealer has a working password, it moves through the usual shopping list for a Mac stealer: data from web browsers including saved logins, cookies and autofill entries, files linked to cryptocurrency wallets, and system information that helps identify the victim. The haul is bundled up and sent to a server run by the attackers.
Because the malware holds the real login password, anything on the Mac protected by that password — including items in the macOS Keychain, where Safari and many apps store credentials — is within reach.
Should ordinary Mac users be worried?
Only if you downloaded Maccy from somewhere other than its official GitHub project or the developer's own site. The legitimate app is not the problem; imitation download pages are.
A few practical steps if you think you may have installed the fake version:
- Change your Mac login password from a device you trust.
- Reset passwords for any accounts saved in your browser or Keychain, starting with email, banking and any cryptocurrency exchange or wallet service.
- Turn on two-factor authentication anywhere it is offered, so a stolen password alone is not enough.
- Run a reputable Mac security scanner and, if in doubt, back up your files and reinstall macOS from scratch.
Jurisdiction here depends on where victims sit. In the United States the Federal Trade Commission handles consumer-facing data harm of this kind; in the United Kingdom the Information Commissioner's Office would step in if a business device was affected and personal data on customers was exposed.
Mac malware is no longer rare, and "it's a Mac, it's fine" stopped being a defence some time ago. Treat unexpected password prompts the way you would treat an unexpected phone call from your bank: pause, and check the source before you answer.



