CrashStealer is a new macOS infostealer that masquerades as Apple’s CrashReporter component, uses an Apple‑notarized installer to slip past Gatekeeper, tricks users into handing over their password, and then systematically loots browsers, password managers, crypto wallets, and Keychain secrets before exfiltrating them in AES‑encrypted bundles.
Researchers have been following the development of CrashStealer since May 2026. It impersonates Apple’s CrashReporter component by taking the name CrashReporter.app. It also creates a LaunchAgent named com.apple.crashreporter.helper and uses the legitimate tool’s icon and metadata to look as trustworthy as possible.
Gatekeeper, basically macOS’s bouncer at the door, checks whether an app looks safe before letting it run. By using a notarized installer—one that Apple has scanned and stamped as acceptable—Gatekeeper is more likely to let it through without raising alarms. Getting notarized doesn’t mean Apple intentionally approved the malware. It means the installer passed Apple’s automated checks, and the attackers abused that trust.
The notarized installer, called “Werkbit Setup” is distributed from a fake software site registered in late June and gated behind a meeting PIN (Personal Identification Number), suggesting a targeted, invitation‑only campaign.










