Summary created by Smart Answers AI
In summary:
- Macworld reports that Jamf Threat Labs identified PamStealer, a new macOS malware targeting users of the Maccy clipboard manager through fake websites distributing malicious AppleScript files.
- The sophisticated malware uses a quiet execution chain with JXA and Rust to steal login passwords via macOS Pluggable Authentication Modules, making detection difficult.
- Users should only download Maccy from the official maccy.app website or GitHub, avoid suspicious links, and use the Mac App Store for safer software installations.
Jamf Threat Labs has issued a report on new malware that users of the third-party clipboard manager Maccy need to be aware of. The malware, dubbed “PamStealer,” is distributed by malicious sites that impersonate the actual Maccy website, with downloadable files that trick visitors into thinking they are getting legitimate Maccy files.
The fake files are Maccy.scpt AppleScript files, made to look like legitimate installer files and distributed on disk images. If the script is launched, users are instructed to run the script, which then triggers the payload that can track information on your Mac and send it to a threat agent. The name PamStealer refers to the malware’s validation of the victim’s login password through the macOS Pluggable Authentication Modules (PAM).
To avoid downloading the malicious files, Maccy customers should make sure they are visiting the maccy.app website. According to a disclaimer on that website, “maccy.app is the only official website.” Customers can also visit the Maccy GitHub website at https://github.com/p0deje/Maccy, which states that “maccy.app is the only official website.”
Maccy is a free open-source clipboard manager that tracks clipboard history. Apple only just introduced a clipboard history tracker in macOS Tahoe through Spotlight, so these third-party managers are popular among power users. However, as Jamf explains, the delivery mechanism for this particular threat could have far-reaching implications beyond just this particular app:
Although disk images and AppleScript-based malware are well-established on macOS, PamStealer combines them in an interesting way. Rather than relying on shell commands such as
curlorzsh, the AppleScript executes a self-contained JavaScript for Automation (JXA) downloader that retrieves and stages the payload using native Objective-C APIs. Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.
The report goes into great depth on how the attack tricks users, and concludes: “Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features.”
How to protect yourself from malware
The easiest way to protect yourself from malware is to avoid downloading software from unfamiliar download sites. Never open links in emails or texts you receive from unknown and unexpected sources. If you get a message that looks like it is from an entity that you do business with, check the sender’s email address and inspect the URL carefully. If you see a link or button, you can Control-click it, select Copy Link Address, and then paste it into a text editor to see the actual URL to check it there.
Apple has vetted software in the Mac App Store, and it is the safest way to get apps. If you prefer not to patronize the Mac App Store, then buy software directly from the developer and their website. If you insist on using cracked software, you will always risk malware exposure.
Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.



