News · News

PamStealer Malware Poses as Maccy Clipboard App to Steal Passwords, Keychain, and Crypto Wallets on macOS

PamStealer malware impersonates the Maccy clipboard app to steal macOS passwords, Keychain data, and crypto wallet keys — and verifies credentials via PAM before exfiltrating them.

CoinScoop

A new macOS infostealer dubbed PamStealer is impersonating the legitimate open-source clipboard manager Maccy — harvesting Mac login passwords, browser credentials, macOS Keychain data, clipboard contents, and cryptocurrency wallet keys. Here’s the technically notable twist. It validates stolen passwords through macOS PAM before exfiltrating them, giving attackers immediate confirmation the credentials actually work.

B
Bitcoin
BTC
View coin →
$63,290.00 0.71%
Market cap · $1.27T

Researchers surfaced the campaign first, tracing malicious installers back to fake websites built to mimic the real Maccy project, according to Decrypt. Download the impostor app and you’re met with realistic-looking macOS permission dialogs and password prompts that are genuinely difficult to distinguish from the real thing — letting the malware quietly harvest credentials at the exact moment of entry.

Maccy itself is real. A widely used open-source clipboard manager for macOS, its name and branding are now being weaponized by a threat actor who has built convincing distribution infrastructure around it. Digital Trends reports that Maccy users were formally warned about the fake distribution sites following the campaign’s discovery, a finding since corroborated by multiple independent security outlets.

How PamStealer Stands Apart

So what sets PamStealer apart from the crowded field of macOS infostealers? Its use of the operating system’s own Pluggable Authentication Modules — the PAM subsystem that handles login verification on Unix-like systems — to test each stolen password before it goes anywhere. Apple Insider notes that rather than blindly exfiltrating whatever string a user types into a prompt, the malware confirms the credential is valid against the local PAM stack first. Attackers receive only confirmed, working passwords. That materially increases the value of the stolen data on criminal markets and cuts down on the noise of dead credentials cluttering the haul.

What the Malware Steals

It starts with a fake installer. The thing hits users with what appear to be standard macOS system dialogs requesting password entry or elevated access; once a password lands, PamStealer can reach into the macOS Keychain, pull saved browser credentials, sweep clipboard contents for sensitive fragments, and extract cryptocurrency wallet keys stored locally on the machine. The malware can also surface additional realistic macOS-style prompts asking for further system access — making the social-engineering layer persistent and hard for a typical user to detect.

The data profile is broad, but the crypto dimension is specific. Wallet keys are explicitly among the exfiltrated data types, which puts on-chain assets directly at risk for any infected user managing cryptocurrency holdings on their Mac. Whale Alert independently confirmed the same campaign scope, reporting that the fake Maccy distribution chain delivers malware targeting browser data, Keychain, clipboard contents, and crypto wallet information.

Why the Timing Matters for Crypto Holders

The timing is bad. The total crypto market cap sits at $2,301.51 billion, up 1.15% over 24 hours, but the Fear & Greed Index reads 24 — deep in Extreme Fear. BBTC$63,290.000.71% trades at $64,291, up 2.19% on the day. EETH$1,777.720.65% sits at $1,813, up 1.85%. In fearful markets, holders are often more susceptible to urgent-seeming prompts and fake utility downloads; it’s a pattern threat actors have repeatedly exploited across prior cycles.

No Zero-Day Required

PamStealer’s reliance on fake download sites rather than app store distribution is itself a signal. macOS has built-in notarization and Gatekeeper protections, but users who manually override those safeguards — or who are tricked into typing their password to authorize an unsigned installer — effectively hand the malware its first credential. No zero-day required. No sophisticated exploit chain. Just a convincing website and a user willing to type their password into a dialog that looks real enough.

Macworld, Digital Trends, Apple Insider, and Whale Alert have all independently reported on the campaign, corroborating both its existence and its scope. That convergence suggests the distribution operation is active and broad enough to have drawn attention across the macOS security community — this is not an isolated incident.

What to Do If You’re Affected

For users who rely on Maccy or similar utilities, researcher guidance is direct: download only from the project’s official GitHub repository or verified distribution channels, treat any unexpected password prompt with suspicion, and check whether an installer is notarized before entering credentials. The real Maccy remains a legitimate tool. The threat is the copy.

Mac users who suspect exposure should treat their Mac login password as compromised, rotate browser credentials and Keychain-protected secrets, and move any cryptocurrency wallet keys stored on the affected machine to a clean, air-gapped environment.

Nadia Rahman

Nadia Rahman

Markets Editor · 9 years covering crypto · Author page

Nadia Rahman is CoinScoop's Markets Editor. She covers Bitcoin, macro liquidity and the spot-ETF complex, and previously reported on rates and FX for a global newswire.

Disclosure: This article is independent journalism and is for information only — it is not financial advice. CoinScoop is reader-supported and may earn a commission from some links. Read our disclosure policy →