Mac users searching for the popular open-source clipboard manager Maccy are being targeted by a newly discovered malware strain designed to steal system login passwords. Dubbed PamStealer, the malicious software disguises itself as a legitimate installer to trick victims into handing over their credentials through native-looking macOS dialog boxes.
According to security researchers at Jamf, the attack relies heavily on social engineering and Apple’s own built-in automation tools to bypass standard security monitoring. The threat highlights a growing sophistication in how threat actors manipulate trusted system interfaces.
How the PamStealer Attack Unfolds
The malware arrives as a disk image containing an AppleScript file that impersonates the Maccy app. When a user opens the file, macOS launches it inside the Script Editor rather than running a standard installation process. On-screen instructions then prompt the victim to execute the script by pressing Command-R or clicking Run, an unusual setup step that actually triggers hidden malicious code.
To evade detection, PamStealer avoids common Mac command-line tools that security software typically monitors. Instead, it leverages Apple’s native automation features to download and launch its next stage. The payload then conceals itself inside app bundles that masquerade as legitimate macOS components, such as Finder or Software Update, complete with authentic Apple icons to maintain the illusion.
The Password Prompt Trap
The most dangerous phase of the PamStealer infection is its credential harvesting mechanism. The malware generates a native-looking macOS dialog box stating that Maccy requires permission to make changes, prompting the user for their system password.
Because the password is checked against the actual macOS login verification system, the prompt will persistently reappear if an incorrect password is entered. Once the victim provides the correct credentials, PamStealer captures the data and dismisses the prompt with a fake error message claiming the app is damaged and cannot be opened.
Beyond stealing passwords, the malware actively monitors the system clipboard and registers itself to run automatically upon every login. In some cases, PamStealer waits up to 40 minutes before requesting Full Disk Access, a deliberate delay designed to prevent the user from connecting the invasive permission request to the initial fake installer.
How to Protect Your Mac
Because PamStealer relies on user interaction rather than exploiting a zero-day vulnerability, defense requires strict download hygiene and awareness of standard macOS behaviors.
- Verify the source: Only download the app from official channels or the legitimate maccy.app website.
- Beware of Script Editor: Legitimate macOS applications will never require you to open Script Editor and manually run code to install them.
- Scrutinize delayed prompts: Be highly suspicious of random Full Disk Access requests that appear out of nowhere, especially if you have not recently installed new software.
The Social Engineering Shift in macOS Malware
PamStealer highlights a growing trend in macOS malware: weaponizing user trust rather than breaking system architecture. By utilizing AppleScript and native UI elements like the Finder icon and standard password dialogs, the attackers are effectively using macOS's own seamless design against the user.
This approach bypasses traditional endpoint detection tools that look for suspicious terminal commands or unauthorized background processes. When the malware asks for a password through a legitimate-looking system prompt, the vulnerability is no longer in the code - it is in the user's conditioned habit of blindly approving system requests. As Apple continues to lock down macOS at the kernel level, we can expect threat actors to increasingly rely on these sophisticated UI spoofing tactics to extract credentials directly from the source.