Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data.
The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim's login password through the macOS Pluggable Authentication Modules (PAM) before capturing it.
The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that's designed to download and stage a follow-on payload. The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration.
The initial access vector for the malware is a lookalike site ("maccyapp[.]com") that mimics Maccy ("maccy[.]app"). The AppleScript ("Maccy.scpt") present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs.
What's notable here is that the script, once launched via the Script Editor, displays instructions to run it using the "⌘ + R" keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.











