Jamf Threat Labs found PamStealer packaged as a fake Maccy clipboard manager on maccyapp[.]com, with an AppleScript dropper and a Rust second stage keyed to Apple silicon Macs. It validates the victim's login password through PAM, watches the clipboard, grabs Keychain and wallet-extension data, and can wait up to 40 minutes before pushing a fake Finder Full Disk Access prompt. Jamf told Decrypt it has not seen PamStealer active in the wild; Apple was notified and had not responded by publication.

TLDR by @Benthic

Explore the topic

More on Wallet

Comments