PamStealer masquerades as clipboard tool to steal Mac passwords

Researchers have spotted a fresh macOS information stealer that lures users by posing as a well-known clipboard utility. Named PamStealer, the malware is delivered as a compiled AppleScript file that mimics Maccy, an open-source clipboard manager, and uses deceptive websites to spread. Once on a system, it performs checks through the macOS PAM framework to harvest login passwords and sensitive files before sending them to attackers.
How the bait-and-switch works
The attack chain begins with fake websites that mimic the legitimate Maccy project. Visitors are tricked into downloading a compiled AppleScript file masquerading as the real application. When executed, the script runs in the background, abusing macOS’s PAM module to probe for user credentials. In parallel, it searches for sensitive documents to exfiltrate.
Why macOS users should stay alert
Because the malware is packaged as an AppleScript file rather than a traditional app bundle, it can evade some detection mechanisms that focus on .app containers. Security teams recommend verifying download sources and scrutinizing any unfamiliar scripts, even when they appear to come from reputable open-source projects.
Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.

