PamStealer Uses Fake Maccy Sites and PAM Checks to Steal macOS Login Passwords
What Happened — Researchers at Jamf Threat Labs identified a new macOS information‑stealer dubbed PamStealer. The malware is delivered as a compiled AppleScript masquerading as the legitimate open‑source clipboard manager Maccy and then harvests macOS login credentials by abusing PAM (Pluggable Authentication Modules) checks.
Why It Matters for Compliance & Audit Readiness
- Credential theft directly tests the effectiveness of SOC 2 CC6.1 (Logical Access) controls; a breach indicates gaps in privileged‑access monitoring and MFA enforcement.
- Continuous evidence of access‑control enforcement (e.g., PAM audit logs) is essential to demonstrate due diligence during a SOC 2 audit.
- Security‑awareness training that covers deceptive download vectors helps satisfy CC1.2 (Security Awareness) requirements.
Who Is Affected — Enterprises with macOS workstations across technology, finance, and professional services sectors.
Recommended Actions
- Enforce MFA for all macOS admin and privileged accounts.
- Deploy endpoint protection that blocks unsigned AppleScript execution and monitors PAM activity.
- Conduct phishing‑simulation and awareness training focused on fake‑software downloads.
- Integrate PAM log collection into your continuous‑compliance monitoring platform to retain audit‑ready evidence.
Source: The Hacker News
Technical Notes
- Distribution vector: fake Maccy download page (social‑engineering).
- Payload: compiled AppleScript (.scpt) that invokes PAM checks to capture the macOS password hash.
- No public CVE; the technique exploits legitimate macOS authentication modules.