Fake Mac clipboard app installs new Rust-based password-stealing malware
Mac users looking to download the popular open-source clipboard manager Maccy are being lured into installing a malicious clone that secretly deploys a brand-new information-stealing malware called PamStealer. The campaign, discovered by Jamf Threat Labs, targets login credentials and cryptocurrency wallet data on macOS systems.
According to Jamf’s analysis, attackers have set up a convincing lookalike website that poses as the official distribution page for Maccy. Instead of delivering the legitimate application, the site offers a disk image (DMG) file that contains a booby-trapped AppleScript. Once executed, that script launches a multi-step infection chain designed to trick users into handing over their passwords while quietly installing a Rust-based infostealer in the background.
Inside the disk image is a file named `Maccy.scpt`, which is presented as part of the setup process for the clipboard manager. When a user opens this file, it displays what appears to be harmless installation instructions and prompts them to run the script within Apple’s built-in Script Editor. The visible portion of the script looks benign and is crafted to look like a necessary step for getting Maccy up and running.
The dangerous part is what the user doesn’t see. Further down in the same AppleScript file, obscured from casual inspection, the attackers have embedded malicious code that performs the actual compromise. While users believe they are following legitimate setup directions, the hidden section of the script is silently deploying PamStealer onto the system.
Jamf Threat Labs says it is tracking this malware under the name “PamStealer” because one of its defining behaviors is interacting with macOS’s Pluggable Authentication Modules (PAM). Before doing anything else, the malware attempts to verify and capture the victim’s login password by leveraging PAM, a standard framework macOS uses to handle authentication. This allows the malware not only to confirm it has the correct password, but also to exfiltrate it for later use by attackers.
With a valid login password in hand, PamStealer gains an extremely powerful foothold. On macOS, many sensitive actions and data vaults – such as the Keychain, which stores passwords and encryption keys – are protected behind the user’s credentials. By first validating and stealing that password, the malware can reliably unlock additional resources, bypass security prompts, and expand the scope of data theft.
Written in Rust, PamStealer benefits from the language’s growing popularity in the malware ecosystem. Rust produces efficient, cross-platform binaries that are often more resilient to analysis and reverse engineering. This makes the payload harder for defenders to dissect and can help it evade traditional detection techniques that focus on more common languages or known patterns.
Once active, the infostealer’s primary goals are to harvest passwords and financial secrets. Jamf’s report notes that PamStealer is capable of targeting login data and cryptocurrency wallet keys, making it particularly dangerous to users who manage digital assets from their Mac. Access to a wallet’s private keys is functionally equivalent to owning the funds; once an attacker has them, they can transfer assets away with no way for the victim to reverse the transaction.
The choice to impersonate Maccy is strategic. Maccy is an open-source clipboard manager popular among power users and developers, who are more likely to install utilities from the web and work with scripts. That audience may also be more likely to hold cryptocurrency and developer credentials, raising the potential value of any stolen data. By mimicking a trusted, technical tool, the attackers reduce suspicion and increase the odds users will follow instructions that involve running scripts or bypassing built-in warnings.
The distribution method also highlights a recurring theme in modern macOS attacks: social engineering. Instead of relying solely on sophisticated exploits, the attackers lean on user behavior. The fake website looks legitimate, the app name is familiar, and the installation flow is framed as a normal macOS scripting step. Users are nudged into doing the hard part for the attackers – granting execution and, ultimately, typing in passwords when prompted.
Although macOS includes multiple security controls such as Gatekeeper, notarization checks, and XProtect, they are not foolproof if the user is convinced to override warnings or manually run untrusted code. AppleScript, in particular, can appear less threatening to non-technical users because it is often associated with automation and productivity tasks rather than malware delivery.
This campaign underscores a broader shift in macOS threats. Attackers are increasingly willing to invest in platform-specific tooling rather than treating the Mac as a secondary target. The combination of a Rust-based payload, a polished impersonation of a real open-source app, and abuse of macOS authentication frameworks shows a level of sophistication that goes beyond crude copycat malware.
For everyday Mac users, the incident is a reminder that not every search result or lookalike site is safe, even when looking for well-known open-source tools. Downloading utilities only from their verified official pages or trusted app repositories dramatically lowers the risk of installing trojanized versions. Any request to run a script, especially one obtained from a third-party site, should be treated with caution and inspected closely if possible.
Security professionals also view the abuse of PAM as a notable escalation. By validating and siphoning off login credentials at such a low level, PamStealer can potentially act as a launching pad for follow-on attacks, including lateral movement within corporate networks or access to additional cloud services tied to the compromised account. Once a primary device password is lost, attackers can chain that into broader identity theft and long-term account compromise.
The targeting of crypto wallets is a predictable but serious angle. Clipboard managers are frequently used by traders and investors who copy and paste wallet addresses and private keys. A malicious clone of a clipboard utility, combined with an infostealer, is well-positioned to intercept those secrets, monitor clipboard contents, or modify pasted addresses to redirect outgoing transfers to attacker-controlled wallets.
From a defensive standpoint, organizations should consider tightening controls around script execution and monitoring for unusual AppleScript activity, especially scripts that invoke authentication prompts or interact with PAM. Endpoint security tools on macOS should be configured to pay particular attention to Rust binaries that appear unexpectedly, as well as to deviations from normal user login behavior and Keychain access patterns.
Users who suspect they may have installed a fake version of Maccy or run suspicious scripts should immediately change their system login password from a known-clean device, review and rotate passwords stored in their Keychain or password manager, and check for any unauthorized access to financial or crypto accounts. It is also prudent to remove unknown applications and services, and, when in doubt, perform a clean reinstall of macOS and restore only from trusted backups.
The PamStealer campaign reinforces a key lesson: even on platforms perceived as more secure, such as macOS, attackers will exploit trust in popular tools, subtle social engineering, and modern programming languages to bypass defenses. Staying safe increasingly means combining the platform’s built-in protections with skeptical download habits, careful review of installation steps, and a healthy reluctance to execute scripts from unverified sources.

