Mac Users Beware: New Mac Malware Silently Steals Passwords Using Apple's Own Security Tools

mac malware, infostealer, macos security, data theft, keychain exploit, amos stealer, cybersecurity 2026

Your Mac's reputation for security is working against you. Attackers know you trust it — and they're exploiting that trust systematically.

Infostealers became the fastest-growing malware category in 2025, overtaking ransomware in deployment frequency, and macOS has become a primary target rather than an afterthought. The threat isn't hypothetical. Right now, multiple active malware families — AMOS, DigitStealer, MacSync, and the newly disclosed PamStealer — are operating on real Macs, stealing real credentials, and moving real money out of real crypto wallets. No exploit required. No zero-day. Just you, a convincing download page, and one misplaced click.Tech Times

fake macOS password prompt used by Mac malware to steal login credentials silently

Why Your Mac is Now a Bigger Target for Data Thieves

The "Macs don't get viruses" myth has become a liability. As Mac adoption grew in corporate and developer environments, it created a high-value target that attackers couldn't ignore. Your Mac now likely holds SSH keys, AWS credentials, crypto wallets, corporate VPN configs, and saved passwords for everything from banking to email.

AMOS alone accounted for almost 40% of macOS protection updates in 2025 — more than double any other macOS malware family — and nearly half of macOS stealer customer reports in the most recent three-month period. That's not background noise. That's a coordinated, scaled attack campaign. SOPHOS

These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, and secrets from browsers, keychains, and developer environments. "Fileless" means nothing lands on your hard drive as a detectable file. Standard antivirus scanners looking for known bad files will miss it entirely. Microsoft

The delivery method has also evolved. Attacks are delivered through ClickFix-style prompts and malicious DMG downloads, relying on user interaction to initiate execution — designed to steal credentials, session material, and infrastructure secrets that can enable account takeover, financial theft, and follow-on compromise of cloud and developer resources. Microsoft Community Hub

The threat model is simple: you are the vulnerability, not macOS.

What Happens When Your Mac's Private Info Is Stolen

When an infostealer runs on your Mac, the damage isn't a single event — it's a cascade. First your credentials go. Then your sessions. Then your money. Then possibly your employer's network.

Here's what the current generation of Mac infostealers actually targets:

Malware Family Key Data Stolen Notable Technique First Seen
AMOS Keychain, browser credentials, cookies, crypto wallets ClickFix Terminal lure; Malware-as-a-Service model April 2023 (still active)
DigitStealer Documents, browser data, VPN configs, Telegram sessions Multi-stage payload; hardware-based anti-analysis checks Nov 2025
MacSync Browser credentials, Safari sessions, Apple Notes, crypto wallets Fully fileless; in-memory pipeline via curl | base64 -d | gunzip Dec 2025
PamStealer iCloud Keychain, browser cookies, clipboard, SQLite databases Validates your password via Apple's own PAM API before stealing July 2026

The newest threat, PamStealer, represents a genuine escalation. Rather than just recording whatever a victim types into a fake password prompt, the malware validates the Mac login password locally using Apple's Pluggable Authentication Modules before continuing — giving attackers immediate confirmation that the compromised credential will actually work. Attackers receive a verified, usable credential. You receive nothing — no error, no warning, no indication anything went wrong. AppleInsider

The downstream impact extends far beyond your device. Being compromised by infostealers can lead to data breaches, unauthorized access to internal systems, business email compromise, supply chain attacks, and ransomware attacks. If you use your Mac for work, your employer's infrastructure may be the real target.

Signs Your Mac Might Have a Hidden Data Thief

Most infostealers are designed to be silent. But they're not invisible. There are behavioral signals worth knowing.

Watch for these on your Mac:

  • Unexpected password prompts — especially ones asking for your login password to complete a routine task. PamStealer impersonates Finder while convincing victims to grant Full Disk Access. Legitimate macOS apps rarely need this permission.
  • Unfamiliar Login Items — go to System Settings → General → Login Items. Any entry you don't recognize, particularly ones with vague names mimicking system utilities, warrants investigation.
  • Unusual outbound network connections — infostealers must phone home. Tools like Little Snitch or the built-in Activity Monitor's Network tab can surface unexpected connections.
  • Clipboard access by background apps — PamStealer harvests clipboard data by repeatedly invoking pbpaste at irregular intervals. If an app has no legitimate reason to read your clipboard, that's a red flag.
  • Script Editor or Terminal activity you didn't initiate — a clear indicator of post-infection activity.

You can run a quick check for suspicious login items from Terminal:

# List all login items registered via launchctl (user context)
launchctl list | grep -v "com.apple" | grep -v "com.microsoft" | grep -v "org.mozilla"

# Check for suspicious LaunchAgents planted by malware
ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/

# Look for unusual processes accessing the Keychain
log stream --predicate 'subsystem == "com.apple.securityd"' --level debug 2>/dev/null | head -50

Any unfamiliar plist files in your LaunchAgents folders are worth examining immediately.

macOS Terminal showing launchctl command to detect suspicious Mac malware login items

Easy Steps to Guard Your Mac and Keep Your Data Safe

The most effective defenses against current Mac infostealers are behavioral, not technical. That's because the malware is specifically engineered to look like legitimate activity at the system level.

Download discipline is your first line of defense:

  • Only install software from the Mac App Store or verified developer websites. Always confirm you're on the correct domain — not maccyapp.com vs maccy.app.
  • Be careful what you run in Terminal. Don't follow instructions from unsolicited messages — DigitStealer and MacSync specifically leverage drag-to-Terminal techniques to override Gatekeeper. Malwarebytes
  • Never paste a command into Terminal that you received from a web page, pop-up, or chat message you didn't explicitly initiate.

Harden your macOS permissions:

  • Audit Full Disk Access in System Settings → Privacy & Security → Full Disk Access. Remove anything you don't actively use. This single permission is what allows infostealers to access your Keychain and browser databases at scale.
  • Disable access to your clipboard for apps that don't need it under Privacy & Security → Pasteboard.

Enable key macOS protections:

# Verify Gatekeeper is active (should return "assessments enabled")
spctl --status

# Re-enable Gatekeeper if disabled
sudo spctl --master-enable

# Check System Integrity Protection status (should be "enabled")
csrutil status

Use a password manager with breach detection. If your credentials have already been harvested and posted online, you can check exposure through Have I Been Pwned — a free service maintained by security researcher Troy Hunt that tracks billions of leaked credentials.

Install real-time behavioral protection. DigitStealer highlights the need for advanced behavioral protection, not just signature scans — static detection alone will miss fileless or novel variants. Malwarebytes for Mac and Jamf Protect both detect the current major infostealer families.

macOS Privacy Security settings showing Full Disk Access permissions to protect against Mac malware data theft

The honest limitation you need to know:
Every protection listed here depends on Apple's macOS security frameworks — and that's exactly the attack surface current infostealers are exploiting. PamStealer uses Apple's own PAM API exactly as designed, leaving no subprocess trace and offering no patch Apple can ship to stop it. Behavioral protection tools can flag known malware families, but a novel variant using only legitimate macOS APIs will likely pass through undetected on first execution. Your most durable protection remains the same as it was before behavioral detection existed: don't run software you didn't deliberately choose to install from a source you explicitly verified.


Sources:

  • Microsoft Security Blog — Infostealers Without Borders
  • Malwarebytes — DigitStealer Analysis
  • Jamf Threat Labs / Apple Insider — PamStealer
  • Sophos X-Ops — Why AMOS Matters
  • TechTimes — PamStealer PAM API Analysis
  • Have I Been Pwned
Share: