ForumsExploitsPamStealer: Fake Maccy Payloads and PAM Hijacking on macOS

PamStealer: Fake Maccy Payloads and PAM Hijacking on macOS

CloudSec_Priya 7/3/2026 USER

Just spotted the Jamf Threat Labs report on 'PamStealer.' It’s a slick piece of work targeting macOS users via a trojanized version of Maccy, the popular open-source clipboard manager.

The attackers are hosting fake sites distributing a compiled AppleScript (.scpt) instead of the legitimate binary. Once executed, it doesn't just copy clipboard data—it leverages PAM (Pluggable Authentication Modules) checks to hook into the login process and siphon passwords.

Technical Breakdown

The primary vector is the .scpt file masquerading as an update or installer. The persistence mechanism and C2 communication are buried within the AppleScript, which makes it slightly harder to catch than standard Mach-O binaries if you're only scanning for executables.

Since the prompt mentions PAM checks, we should be monitoring for unauthorized changes to the PAM configuration or suspicious attempts to read system keychain entries shortly after clipboard activity.

Detection IOCs

If you have Maccy deployed, I recommend verifying the signature immediately. Legitimate versions are signed; the stealer likely won't be (or will have a broken signature).

Run this check on your endpoints:

# Check Maccy code signature validity
codesign -dv --verbose=4 /Applications/Maccy.app 2>&1 | grep "Authority"
# Alternatively, check for recent .scpt executions in Unified Logging
log show --predicate 'process == "osascript" OR eventMessage contains ".scpt"' --last 1h --info

The Question

Clipboard managers are useful for productivity but are a massive security risk. Given PamStealer specifically targets this niche, are you all blocking clipboard managers entirely in your baselines, or do you rely on strict signing checks?

FI
Firewall_Admin_Joe7/3/2026

Good catch on the PAM angle. From a SOC perspective, we're treating any unsigned AppleScript execution in the user Download directory as high severity now. We pushed a SentinelOne query to hunt for .scpt files making network calls.

DeviceProcessEvents
| whereFolderPath endswith ".scpt"
| where InitiatingProcessFileName in ("osascript", "Script Editor")


If you can't block the tool, ensure EDR is monitoring for script interpreters spawning outside of IT-approved automation workflows.
MS
MSP_Tech_Dylan7/3/2026

As a Mac admin, I've always been wary of clipboard managers because they sit right in the middle of sensitive data flow. We whitelist Maccy via the developer ID in our MDM profiles. If the signature doesn't match 'Maccy App' (or the specific Team ID), the launch is blocked.

# Show Team ID for verification
codesign -dr - /Applications/Maccy.app 2>&1 | grep "designated"

This PamStealer highlights why allowing users to sideload arbitrary utilities is a non-starter for enterprise environments.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/3/2026
Last Active7/3/2026
Replies2
Views187