Cybersecurity researchers have uncovered a novel macOS information stealer dubbed PamStealer. Discovered by Jamf Threat Labs, the malware is distributed as a compiled AppleScript (.scpt) file that impersonates Maccy, a legitimate open-source clipboard manager. The name PamStealer derives from its ability to abuse Pluggable Authentication Modules (PAM) for credential theft.

The stealer employs a series of sophisticated tricks to compromise systems and exfiltrate sensitive data. While the full scope of its impact remains under assessment, it specifically targets macOS users who download the fake Maccy software. The campaign relies on social engineering to trick victims into executing the malicious script, bypassing traditional security warnings.

Technical analysis reveals that PamStealer leverages PAM hooks to intercept login credentials as users authenticate on their Macs. This mechanism allows the malware to capture passwords without alerting the user. The attack chain begins with a fake download site that closely mirrors Maccy's legitimate distribution page, luring victims into downloading the .scpt file.

Once executed, the AppleScript runs malicious code that establishes persistence and enables continuous credential theft. Indicators of compromise include unexpected .scpt files on the system, unauthorized PAM configuration changes, and suspicious network traffic to command-and-control servers. Jamf researchers are analyzing full infection chains to identify all IoCs.

Currently, no patches or official workarounds have been released, as this is a newly identified threat. Users are advised to verify the authenticity of software downloads by checking official sources and developer signatures. Organizations should monitor for unauthorized PAM modifications and restrict execution of unsigned AppleScript files as a precaution.