Summary created by Smart Answers AI
In summary:
- Macworld reports that new ‘CrashStealer’ malware targets Mac users by stealing passwords, browser data, and cryptocurrency wallet information through deceptive tactics.
- The malware uses a legitimate-appearing app called Werkbit and impersonates Apple’s crash reporting tool to trick users into providing credentials.
- Jamf Threat Labs discovered this infostealer, and Apple has revoked the developer credentials to help prevent further distribution of the malicious software.
Yet more evidence that owning a Mac doesn’t make you immune to hacking: researchers have identified another piece of malware on macOS, this time one designed to steal your passwords and browser data. It’s been given the name “CrashStealer.”
Jamf Threat Labs first noticed and began tracking what appeared to be “an infostealer still in development” in early May, and reports that it had matured to active use by early July. It’s notable for impersonating Apple’s own crash reporting setup.
The payload is delivered by a seemingly innocuous meeting app called Werkbit. This dropper, Jamf explains, is particularly dangerous because it seems legitimate: during the research period, it carried both an Apple notarisation ticket and a valid developer ID.
Jamf has since reported the issue to Apple, and AppleInsider reports that Apple has revoked those credentials. Hopefully, this should impede the malware’s ability to cause harm.
The dropper downloads a disk image, CrashReporter.dmg, containing an app bundle, CrashReporter.app. The CrashReporter app has a legitimate-looking icon and is designed to look like an Apple tool, so when it presents a password prompt (with the somewhat plausible phrase “System Preferences wants to make changes” and standard artwork), you may be persuaded to comply.
Once the malware has the access it wants, it sets about harvesting and exfiltrating your data. The malware seeks out browser data, including Brave, Chrome, Chromium, Edge, NAVER Whale, Opera and Opera GX, and Vivaldi; cryptocurrency wallets, including Backpack, Coinbase, Exodus, Keplr, MetaMask, OKX Wallet, Phantom, Rabby, Trust Wallet, and Solflare; and password managers, including 1Password, Bitwarden, Dashlane, Enpass, KeePassXC, Keeper, LastPass, NordPass, and RoboForm.
We recommend reading Jamf’s analysis for full details of the malware. And of course, watch out for Werkbit and CrashReporter, and be wary of even seemingly legitimate system password prompts.



