PamStealer: New Stealthy macOS Malware Disguised as Clipboard Manager Targets User Credentials
Learn about PamStealer, a new macOS malware posing as the Maccy clipboard manager to steal passwords and crypto keys. Discover how it works and how to stay safe.

The Rise of Sophisticated macOS Infostealers
For years, Mac users enjoyed a sense of relative security compared to their Windows counterparts. However, that gap is closing rapidly as cybercriminals develop more targeted and sophisticated tools. The latest threat, identified by security researchers at Jamf, is a piece of malware dubbed PamStealer. This infostealer employs a clever combination of social engineering and native macOS system tools to bypass security warnings and harvest sensitive login information.
How PamStealer Deceives Users
PamStealer does not arrive as a blatant virus but rather as a counterfeit version of a popular, legitimate productivity app called Maccy—a lightweight clipboard manager. By impersonating a trusted utility, the malware lures users into downloading and installing it from a fraudulent domain.
The Two-Stage Infection Process
The malware utilizes a multi-stage execution chain designed to stay under the radar of traditional antivirus software:
- Stage One: The AppleScript Entry: The malware arrives via a disk image. Upon opening, users are prompted to execute an AppleScript. By using this method, PamStealer successfully bypasses
com.apple.quarantine, the native macOS security feature that typically flags and restricts executable files downloaded from the internet. - Stage Two: The Rust-Based Payload: Once the script is active, it utilizes a JavaScript for Automation (JXA) downloader to retrieve a second-stage payload. This payload is a Mach-O file written in Rust, specifically optimized for Apple M-series CPUs. The use of Rust is particularly notable as it is uncommon for commodity macOS stealers, making the malware harder for some security tools to recognize.
Stealing Credentials via PAM
What sets PamStealer apart from basic malware is its use of the Pluggable Authentication Modules (PAM) interface. Instead of using obvious shell commands like curl or zsh, which often trigger security alerts, PamStealer presents a native-looking macOS password prompt.
The prompt typically reads: “Maccy wants to make changes. Enter your password to allow this.” When the unsuspecting user enters their admin password, the malware validates the credentials locally through the PAM API. This allows the attacker to either gain full disk access or inject malicious code to target specific assets, such as Ethereum cryptocurrency accounts.
How to Protect Your Mac from PamStealer
While macOS has built-in defenses like XProtect, the human element remains the primary vulnerability. Here are the best practices to keep your device secure:
1. Verify Software Sources
Always ensure you are downloading software from official websites. In the case of Maccy, the only legitimate site is maccy.app. Be wary of similar-looking URLs, such as maccyapp.com, which have been used to host the malware.
2. Prioritize the App Store
Whenever possible, download applications directly from the Apple App Store. Because Apple vets apps before they are listed, the risk of installing an infostealer is significantly reduced compared to downloading random .dmg files from the web.
3. Be Skeptical of Unexpected Password Prompts
If an application you just installed suddenly asks for your administrator password to "make changes" without a clear reason, stop and investigate. High-quality software usually explains exactly why elevated permissions are required.
4. Use Layered Security
While XProtect is a great baseline, considering a reputable third-party antivirus solution can provide an extra layer of heuristic analysis to catch "zero-day" threats like PamStealer before they execute.