According to Jamf Threat Labs, on Thursday the cybersecurity firm identified a fake version of the Maccy clipboard manager that delivers a new Rust-based malware dubbed PamStealer. The malicious app is distributed via a lookalike website containing an AppleScript file that, when executed, harvests users' passwords and crypto wallet keys by validating login credentials through macOS Pluggable Authentication Modules (PAM).
Once installed, the malware uses JavaScript for Automation and native macOS APIs to download a second-stage payload designed for Apple Silicon Macs. It can steal browser credentials and Keychain data, monitor clipboard contents, establish persistence, and request Full Disk Access to reach protected files including Mail, Messages, and Time Machine backups. Jamf has not detected active PamStealer campaigns to date but notified Apple of its findings.