Security researchers at Jamf Threat Labs have identified a new strain of macOS malware dubbed “PamStealer,” which masquerades as the popular clipboard management utility, Maccy. The malware spreads via fraudulent websites that mimic legitimate software distribution pages, tricking users into downloading malicious AppleScript files disguised as “Maccy.scpt” inside disk images. Once executed, the script leverages the macOS Pluggable Authentication Modules (PAM) to intercept and transmit sensitive user credentials to external attackers.
How Does PamStealer Compromise Your Mac?
The core danger of PamStealer lies in its technical exploitation of system-level authentication. According to reporting by Macwelt, which cites analysis from Jamf Threat Labs, the malware is specifically designed to target the PAM framework. By masquerading as a routine clipboard manager, the software gains a foothold on the system, where it can monitor and capture login passwords as the user interacts with the machine. Unlike standard trojans that might simply hide in the background, this malware utilizes the expected behavior of the operating system to harvest data, making it particularly difficult for users to detect without specialized security tools.

The “PAM” in PamStealer refers to Pluggable Authentication Modules, a standard mechanism used by Unix-like operating systems, including macOS, to handle user authentication tasks like logging in or unlocking system settings.
Why Is Software Distribution Security Evolving?
The emergence of PamStealer highlights a growing trend in “masquerade attacks,” where cybercriminals use SEO poisoning and lookalike websites to deceive users. While the Mac App Store remains the most secure distribution channel—as Apple vets every application before listing—many developers distribute software directly to avoid platform fees or to provide specialized features. This necessity for direct distribution creates a window for attackers to replicate developer websites. Security experts warn that the primary defense against this trend is adhering to strict download hygiene: verify the URL matches the official developer site, such as maccy.app or the project’s verified GitHub repository, and ignore unsolicited links sent via SMS or email.
Pro Tips for Identifying Malicious Downloads
- Verify the Source: Always cross-reference the download link with the developer’s official social media or verified GitHub profile.
- Inspect the File Extension: Be wary of unexpected file types like .scpt (AppleScript) or .pkg files when you expect a standard .dmg or .app bundle.
- System Warnings: Never bypass macOS Gatekeeper warnings that flag software from an “unidentified developer.”
Frequently Asked Questions
What should I do if I think I downloaded PamStealer?
Immediately disconnect your Mac from the internet, delete the suspicious file, and use a reputable security scanner to check for remaining traces. If you suspect your password was compromised, change it immediately from a different, secure device.

Is the legitimate Maccy app safe?
Yes. The security risk is specific to counterfeit versions of the software distributed via malicious websites, not the legitimate Maccy application downloaded from its official site or GitHub.
Why is the Mac App Store safer?
Apple performs automated and manual security checks on all software submitted to the Mac App Store, which helps prevent malicious code from reaching end-users.
Have you encountered suspicious software while searching for utilities online? Share your experience in the comments below, or subscribe to our weekly security newsletter for the latest updates on protecting your digital workspace.
