logo

Newly discovered PamStealer isn't your typical macOS malware

ID: 45a9be59-8552-56cc-bb47-3607def98fb2

STIX ID: report--45a9be59-8552-56cc-bb47-3607def98fb2

Feed Name: Ars Technica Security (category)

Threat Score
70/100

Date Published: 2026-07-02

Date Updated: 2026-07-03

Author: Dan Goodin

...
...

PamStealer is a newly observed macOS infostealer delivered via a disk image that lures users into opening an AppleScript which runs a self-contained JavaScript for Automation (JXA) downloader; a Rust-written second stage then validates and captures the victim’s login password using macOS PAM and exfiltrates it to an attacker-controlled server. The malware emphasizes stealth—bypassing com.apple.quarantine, impersonating Finder/Software Update components, encrypting C2 traffic, and delaying permission prompts—to reduce detection opportunities.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.