CrashReporter.appGatekeeper bypass via notarized dropper. The infection chain starts with a first-stage application called Werkbit — a signed, Apple-notarized app carrying a valid Developer ID associated with "Emil Grigorov" . Because Apple's notary service approved it, Gatekeeper treats it as trusted and does not show the usual "unidentified developer" warning
. Once the user manually downloads and opens Werkbit, a script downloads the real CrashStealer payload in the background
.
Credentials and data targeted. CrashStealer harvests broadly across the system:
Key techniques.
~/Library/Caches/com.apple.crashreporter/, and creates a LaunchAgent named com.apple.crashreporter.helper to survive reboots What it is. PamStealer is a Rust-based, two-stage macOS infostealer disclosed by Jamf on July 2, 2026 . Its name comes from its novel use of Apple's Pluggable Authentication Modules (PAM) API to verify stolen passwords
.
Distribution and Gatekeeper evasion. PamStealer is served from typosquatted domains impersonating the legitimate Maccy clipboard manager (e.g., maccyapp[.]com) . The attack bypasses Gatekeeper through a known but unpatched gap in macOS Script Editor:
.scpt AppleScript file com.apple.quarantine protections are bypassed, and no warning is shown Credentials and data targeted. The second-stage Rust payload steals:
Key technique — PAM-based password validation. This is PamStealer's signature innovation:
pam_start, pam_authenticate) to test the password against the system's authentication stack before recording it Notarization as a weapon. CrashStealer demonstrates that threat actors can successfully submit malicious apps to Apple's notary service and obtain Gatekeeper-passing signatures . Apple's revocation process is reactive, not preventive — the malware can spread for days or weeks before the certificate is revoked. This follows a pattern seen with earlier malware like MacSync and the Odyssey Stealer family, which also abused valid Apple developer signatures
.
Script Editor as a blind spot. Both PamStealer and a growing number of recent macOS threats exploit the fact that running AppleScripts through trusted system applications bypasses Gatekeeper entirely. Jamf notes this is a documented but still-unpatched gap .
Mac infostealers are getting sophisticated. The use of AES-GCM encryption for exfiltrated data (CrashStealer) and PAM API validation (PamStealer) shows attackers investing in custom, stealthy tradecraft rather than relying on commodity malware . Microsoft also noted in February 2026 a broader trend of macOS, Python, and cross-platform infostealers using "ClickFix" social-engineering lures to steal browser passwords, crypto wallets, and cloud credentials
.
Password validation on-device is a new reliability boost. Rather than guessing or bulk-collecting credentials, both of these stealers confirm the password is valid on the victim's machine before exfiltration — improving the attacker's success rate and reducing the chance of detection from failed logins . This is a meaningful evolution: typical infostealers either capture whatever is typed or use techniques like
dscl or security command calls that may fail silently or trigger alerts .