A disk image arrives on a Mac and looks, at first glance, like a popular utility called Maccy. Double-click it and something odd happens: a window opens in macOS Script Editor, the system tool developers use to write scripts, instead of launching an app. The window prompts the user to press Command-R, a keystroke most people associate with refreshing a web page, not with installing software.
If the user complies, no password prompt appears in the usual way. But somewhere on the Mac, a Rust program is doing something the user cannot see: it calls Apple's own authentication machinery to confirm the Mac login password is real, and only then sends it to a server run by an attacker. That is PamStealer, a newly discovered macOS infostealer whose designers built in a local credential-validation step before exfiltration, a quiet check that makes the malware harder to detect and harder to dismiss as noise. Security researchers at Jamf Threat Labs discovered and analyzed the sample, and Ars Technica's Dan Goodin reported the details this week.
The lure pattern is familiar even if the specific code is new. Mac-targeted malware has long relied on disk images, or DMG files, posing as legitimate apps to get past a user's initial suspicion. Maccy, the clipboard manager PamStealer impersonates, is genuinely popular among Mac power users, which makes the fake installer more credible than a generic "free app" download. Once opened, the disk image contains not a real application but an AppleScript file, a small program that runs inside macOS Script Editor. Hiding the malicious payload inside Script Editor rather than launching as a normal app is a deliberate choice. Most users associate Script Editor with developer work, not with software they have just installed, which makes the unusual window less alarming than it should be.
The technique that distinguishes PamStealer from earlier Mac stealers is what happens after the script runs. The first stage is written in JavaScript for Automation, or JXA, a built-in macOS scripting layer that lets scripts control system features. Where earlier infostealers often reached for shell commands like curl to fetch a second-stage payload, PamStealer's JXA loader calls native Objective-C APIs directly, the same plumbing macOS apps use to talk to the operating system. Avoiding shell commands leaves fewer traces in the kinds of logs and process monitors that defenders watch most closely. The downloaded second stage, the actual credential stealer, is written in Rust, a programming language often used for security tooling because it produces self-contained binaries that are harder to analyze than traditional malware.
The stealer earns its name from the next step. Before exfiltrating the user's Mac login password, PamStealer calls into Pluggable Authentication Modules, or PAM, the macOS authentication layer that checks whether a typed password is correct when a user logs in or unlocks sensitive settings. PAM is built into macOS and is used constantly for legitimate sign-ins, so a PAM call does not, by itself, look suspicious in system logs. By validating the password locally first, PamStealer avoids the noisy "try a fake password and fail" chatter that other credential stealers produce when they exfiltrate guesses to a server. The attacker only receives a working password, which makes the exfiltration step look like a single, brief, hard-to-flag network event rather than a flurry of failed attempts.
The Command-R prompt and the delayed request for Full Disk Access, the macOS permission that lets an app read files like Messages, Safari history, and keychain entries, are the social-engineering layer. Script Editor is not normally a sandboxed app, so the malware uses that identity to put off the kind of permission prompts users have been trained to scrutinize. After the user has typed the Command-R keystroke and any required passwords have been validated, the malware eventually surfaces a Full Disk Access request from what looks like Finder rather than from an unknown app, another step designed to feel routine.
The pattern is what makes PamStealer worth watching even at this early stage. Local credential validation, masquerading as Finder, and a delayed Full Disk Access prompt mean a user cannot rely on the usual "macOS will warn me" signals alone. The story is not that Macs are now broadly compromised. Jamf Threat Labs' write-up describes a single discovered sample, with no public attribution to a named threat actor, no victim count, and no evidence yet of widespread distribution. Any independent replication, additional samples, or detection signatures from other researchers have not yet appeared.
What to watch next: whether other security vendors replicate Jamf's analysis on additional samples, whether detection indicators or search patterns emerge that let defenders look for PamStealer on Mac fleets, and whether the same builder resurfaces posing as other popular Mac utilities. The broader macOS infostealer lineage, including earlier families such as MacStealer and Atomic Stealer, has spent the last few years iterating on quieter execution chains, and the open question for defenders is whether the PAM-credential-validation step gets picked up by copycats.