🟢 Verified 📰 News 🇰🇷 Korean

A fake Mac app that steals crypto wallet keys — how lookalike downloads really work

· ✍️ altrookie editorial · 👁️ Read-only

Security researchers at Jamf Threat Labs have flagged a new piece of Mac malware, nicknamed PamStealer, that disguises i…


Security researchers at Jamf Threat Labs have flagged a new piece of Mac malware, nicknamed PamStealer, that disguises itself as a popular free clipboard app to steal passwords, browser logins, and crypto wallet keys. The researchers say they have not yet seen it used against real victims and have notified Apple, but the way it spreads is a pattern every beginner should learn to recognize.

The trick starts with a lookalike website for Maccy, a legitimate open-source clipboard manager. The fake download is a disk image containing a malicious script that, when opened, shows friendly-looking instructions telling you to run it in Apple's Script Editor while hiding the harmful code further down the file. One detail stands out: before stealing your login password, the malware quietly checks that the password is correct through a built-in macOS system, which is where its nickname comes from.

Once it is running, it pulls down a second program disguised as Finder or Software Update. From there it can lift saved browser passwords, read data from the macOS Keychain, watch whatever you copy to your clipboard, and send it all to the attacker. To dig deeper, it pops up a fake Finder alert asking for Full Disk Access, and it can wait up to 40 minutes after you installed the app to show that request, so you are less likely to connect the two.

This is not really about one app. Jamf says attackers routinely buy Google ad space to push these fakes, and it recently spotted a sponsored ad on X, delivered through a verified account, promoting another Mac tool that told users to paste a command into Terminal, which installed a different password stealer. The same wave has included a fake OpenAI code repository and a malicious code-editor extension. The lure changes; the goal of tricking you into running attacker code stays the same.

For a beginner, a few habits block most of this. Download apps only from the developer's official site or a trusted store, and be deeply suspicious of any download that tells you to run a script in Script Editor or paste a command into Terminal, no matter how legitimate the ad or account looks. Treat a request for Full Disk Access as a red flag. For crypto specifically, a tool that can watch your clipboard and read your Keychain is enough to drain a wallet, so keep meaningful holdings in a hardware wallet and never store your seed phrase anywhere software can read it. This is information, not advice.