New CrashStealer Malware Impersonates macOS Crash Reports to Hijack User Passwords

A dangerous new Mac malware called CrashStealer is bypassing Gatekeeper by impersonating Apple crash reports to steal your passwords and sensitive data. Learn how to protect your device.

A
Staff Writer
Posted on 16/07/2026 07:19
New CrashStealer Malware Impersonates macOS Crash Reports to Hijack User Passwords

A sophisticated new piece of malware targeting macOS users, dubbed 'CrashStealer,' has been identified by security researchers. This malicious software is particularly dangerous because it expertly impersonates Apple’s own system crash reporting tools, making it highly likely for unsuspecting users to fall victim.

How CrashStealer Operates

According to analysis from security firm Jamf, CrashStealer masquerades as a legitimate application, often disguised as a meeting platform known as 'Werkbit.' Once the user is tricked into downloading the software, it utilizes a signed and Apple-notarized installer. By leveraging this official-looking signature, the malware successfully bypasses macOS Gatekeeper, the security mechanism designed to prevent unauthorized or malicious software from running on the operating system.

The Anatomy of the Attack

Upon launch, the application displays a fraudulent system prompt requesting the user's password—a common sight for legitimate software installations. When a victim complies and inputs their credentials, the malware gains the authorization needed to access the macOS Keychain. This encrypted vault contains highly sensitive data, including:

  • Safari login credentials
  • Application passwords
  • Wi-Fi network keys

Beyond the Keychain, the malware is capable of scraping cookies and login credentials from browsers like Chrome, Firefox, and other Chromium-based alternatives. It also targets data from approximately 80 different cryptocurrency wallet extensions and multiple popular password management applications, such as 1Password and LastPass.

Data Exfiltration

Once the sensitive information is harvested, CrashStealer encrypts the stolen data, compresses it into hidden ZIP files, and uploads the packages to a remote command-and-control (C&C) server operated by the attackers.

How to Protect Your Mac

To defend against this and similar threats, users should follow these security best practices:

  1. Avoid Sideloading: Only install software from the Mac App Store or directly from trusted, verified developer websites.
  2. Use Caution with Prompts: Be highly skeptical of unexpected system password prompts, especially those appearing after installing a new application.
  3. Employ Additional Security: While Gatekeeper is a strong first line of defense, it is not infallible. Using reputable third-party antivirus software for macOS can provide an essential secondary layer of protection.
  4. Stay Vigilant: Always verify the authenticity of any software or installer, particularly if it was acquired from an unofficial source or an unsolicited link.

Related Posts