调查结果发布之际,攻击者越来越多地将恶意软件伪装成合法软件,并滥用受信任的开发者平台和广告渠道。最近的活动包括一个虚假的 OpenAI 存储库,该存储库在分发基于 Rust 的信息窃取程序之前已登上 Hugging Face 热门项目的榜首;GitHub 表示,该恶意 Visual Studio Code 扩展暴露了大约 3,800 个内部存储库;以及针对 OpenAI 和 Mistral AI 等人工智能公司使用的开发工具的 Shai-Hulud 软件供应链活动。
以及原创专题、播客、视频等开始。
In brief
Jamf Threat Labs identified a new Rust-based macOS infostealer posing as the Maccy clipboard manager.
The malware validates victims' passwords through macOS PAM before stealing them.
Researchers also spotted ClickFix-style malware delivered through a sponsored
Mac users searching for the open-source clipboard manager Maccy are being targeted by a fake version of the app that installs a new Rust-based infostealer dubbed PamStealer, according to cybersecurity firm Jamf Threat Labs. If successful, the malware could steal users’ passwords and crypto wallet keys.
“We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it,” Jamf Threat Labs wrote.
From there, the malware uses JavaScript for Automation and native macOS APIs to download a second-stage payload without relying on common shell utilities such as curl or zsh, reducing the number of processes security tools can observe.
"With many stealers, we have seen attackers purchasing Google Ad space to lure users to the malicious app. We have recently observed malicious ads being hosted on X as well,” Jamf Threat Labs Director Jaron Bradley told . “These social engineering techniques have proven to be highly successful."
According to the report, the second stage is a Rust-based binary designed for Apple Silicon Macs that disguises itself as Finder or Software Update.
“Rather than storing its configuration in cleartext, the dropper derives a key from a fingerprint of the host—including its CPU architecture, locale, keyboard layout, and time zone—and uses it to unlock an encrypted, integrity-checked configuration containing the payload URL and installation path,” the company said.
Once installed, the malware can steal browser credentials and Keychain data, monitor clipboard contents, establish persistence, and send stolen information to a remote command-and-control server using encrypted communications. If it can't verify that it's running on its intended target, then it quietly shuts itself down.
The malware also attempts to expand its access by displaying a fake Finder alert asking users to grant Full Disk Access. The prompt can appear up to 40 minutes after infection, making it less likely that users will associate it with the original download. If approved, the malware can access protected data, including Mail, Messages, and Time Machine backups.
According to Bradley, Jamf has not observed any evidence that PamStealer is active in the wild; however, the company notified Apple of its findings. Apple did not immediately respond to a request for comment by .
Jamf said it is seeing similar social engineering techniques spread to other platforms.
In an X post last week, the company said it was investigating a sponsored
“The
The findings come as attackers increasingly disguise malware as legitimate software and abuse trusted developer platforms and advertising channels. Recent campaigns have included a fake OpenAI repository that reached the top of Hugging Face's trending projects before distributing a Rust-based infostealer, a malicious Visual Studio Code extension that GitHub said exposed roughly 3,800 internal repositories, and the Shai-Hulud software supply-chain campaign targeting development tools used by AI companies including OpenAI and Mistral AI.