PamStealer doesn't just steal your macOS passwords—it validates them first by hooking into the system's own Pluggable Authentication Modules (PAM). That's a level of stealth and specificity that sets it apart from typical macOS malware.
A Two-Stage Masquerade
The initial infection vector is a disk image that poses as Maccy, a legitimate clipboard manager for Macs. Inside that image sits an AppleScript file. When a victim double-clicks it, macOS opens the script in Script Editor, where the malicious functionality is buried deep within the file. That ordinary-looking behavior—opening in the editor—helps the malware fly under the radar.
AppleScript itself isn't unusual for Mac malware, but the way PamStealer layers it matters. The script acts as a first stage loader that pulls down the real payload: a Rust-written infostealer. Rust gives the authors a cross-platform build, but the real cleverness is in the next stage.
Hooking PAM for Stealth
Once the Rust infostealer is active, it uses the PAM interface—the same API macOS uses for authentication workflows—to confirm the target's login password before shipping it to an attacker-controlled server. Validating the credential server-side would be noisy. By doing it locally through PAM, PamStealer avoids network calls for password checks and ensures only valid passwords get exfiltrated. That cuts down on false positives and keeps the malware quiet.
The combination of a clipboard-manager decoy, AppleScript loading through Script Editor, and PAM-based password validation makes this a more sophisticated piece of Mac malware than the usual adware or info-stealing scripts floating around. Security teams should pay attention to any unusual PAM module behavior or AppleScript execution patterns on endpoints.
As macOS malware evolves to leverage system authentication hooks like PAM, defenders need to monitor PAM integrity and AppleScript activity more aggressively—because the next variant might not bother masquerading as a clipboard manager.
Source: Newly discovered PamStealer isn't your typical macOS malware
Domain: arstechnica.com
Comments load interactively on the live page.