🟠 High | Source: The Hacker News
A new macOS information stealer called PamStealer is being distributed via fake websites impersonating Maccy, a popular open-source clipboard manager, using a compiled AppleScript file to compromise systems. Once installed, it abuses macOS’s Pluggable Authentication Module (PAM) framework to harvest login passwords and exfiltrate sensitive data. The threat is notable for its use of a trusted open-source tool as a lure and its exploitation of a legitimate OS authentication mechanism.
Security Architect’s Take: Enforce application allowlisting and restrict execution of unsigned or unverified AppleScript files on managed macOS endpoints using MDM policies; also audit any macOS developer workstations or CI/CD runners for unauthorised clipboard utilities, as these are common targets in software supply chain attacks.
Original advisory: PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords