Learn about PamStealer, a new macOS malware that uses fake Maccy download sites and PAM checks to steal login passwords from your keychain. Find out how to protect yourself.
Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that uses a handful of clever tricks to infect systems and siphon sensitive data. If you're a Mac user who thinks your machine is immune to malware, this one might make you think twice.
The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file that impersonates Maccy, a legitimate open-source clipboard manager. It's been codenamed PamStealer because of its ability to bypass macOS's built-in protections and grab login passwords stored in the keychain. Let's break down how it works and what you can do to stay safe.
### How PamStealer Gets Onto Your Mac
Attackers are using fake websites that look exactly like the real Maccy download page. When you visit one of these sites and click the download button, you don't get the clipboard manager you were expecting. Instead, you get a .scpt file that's actually the PamStealer malware.
The file itself is small, usually under 1 megabyte, so it downloads fast and doesn't raise any red flags. Once opened, it runs an AppleScript that starts the infection process without needing any admin password upfront. This makes it especially dangerous because many users won't suspect anything until it's too late.
### What Makes PamStealer Different
Most Mac malware relies on tricking you into giving it permissions. PamStealer takes a different approach. It checks for PAM (Pluggable Authentication Module) configurations on your system, which is a fancy way of saying it looks for ways to bypass login authentication.
- **PAM checks:** The malware scans your Mac's PAM settings to find weaknesses it can exploit.
- **Keychain access:** Once it finds a way in, it grabs passwords from your keychain, including login credentials, Wi-Fi passwords, and app passwords.
- **Data exfiltration:** It then sends all that stolen data to a remote server controlled by the attackers.
This is not your average cookie-stealing script. PamStealer is targeting the core of your Mac's security: the keychain and login system.
### Who Is at Risk?
If you use a Mac and you've ever downloaded software from a site that wasn't the official developer's page, you're at risk. The fake Maccy sites are designed to look convincing, so even experienced users can be fooled.
Businesses are especially vulnerable. If just one employee downloads the malware, the attacker could gain access to company credentials, VPN passwords, and other sensitive information. The cost of a breach like this can run into tens of thousands of dollars per incident when you factor in downtime, remediation, and lost data.
### How to Protect Yourself
Here are some practical steps you can take right now to avoid falling victim to PamStealer:
- **Only download from official sources.** Always go to the developer's website or the Mac App Store. Don't trust search results or ads.
- **Check the file type before opening.** If you download something and it ends in .scpt, .command, or .app, be suspicious. Legitimate apps usually come as .dmg or .pkg files.
- **Keep your Mac updated.** Apple regularly patches security holes. Make sure you're running the latest version of macOS.
- **Use a good antivirus tool.** While Macs are generally secure, a dedicated security tool can catch threats like PamStealer before they execute.
- **Turn on FileVault encryption.** This adds an extra layer of protection to your data, even if an attacker gets access to your system.
### What to Do If You Think You're Infected
If you suspect PamStealer has made its way onto your Mac, act fast. Disconnect from the internet immediately to stop any data from being sent out. Then run a full system scan with a trusted security tool. Change all your passwords from a different, clean device. And consider contacting a cybersecurity professional if you're managing a business network.
### The Bottom Line
PamStealer is a reminder that Macs aren't invincible. The bad guys are getting smarter, using fake sites and system checks to bypass defenses that used to work. Staying safe means staying skeptical. If something looks off, it probably is. Don't let a fake download page cost you your privacy or your peace of mind.