Logo Daily Crypto Briefs
Open menu

Fake Mac Clipboard App Now Targets Crypto Wallets

6 min read
Breaking News
Greyscale Mac laptop showing a fake clipboard security prompt beside a crypto hardware wallet and Ethereum network screen on blue, red and off-white editorial panels.

TL;DR

  • Jamf Threat Labs disclosed PamStealer, a macOS infostealer distributed through a fake Maccy clipboard-manager site.
  • The malware validates a victim's Mac login password through PAM before continuing, then targets browser data, keychain access, clipboard contents and persistence.
  • Jamf found two public Ethereum JSON-RPC endpoints in a decrypted PamStealer configuration and observed the fake Finder process connecting to one of them.
  • Jamf did not capture the specific Ethereum RPC calls, so the blockchain purpose of that activity remains unresolved.

NEW YORK, July 5, 2026

Jamf Threat Labs disclosed PamStealer, a new macOS infostealer that impersonates the Maccy clipboard manager, validates victims’ login passwords through Apple’s PAM system and reaches Ethereum RPC endpoints as bitcoin traded near $62,700.

The July 2 report puts a crypto-relevant twist on a familiar Mac malware pattern: users looking for a legitimate utility are pushed toward a fake download, then tricked into running a script that stages a second payload. Jamf said the fake distribution site used maccyapp.com, while the legitimate open-source clipboard manager is distributed through maccy.app.

Market snapshot: Bitcoin was recently shown near $62,724 and Ether near $1,778 on public crypto price pages, while TRM Labs said H1 2026 produced a record 207 crypto hack incidents and about $972 million in losses. TRM attributed about $643 million, or 66% of those losses, to North Korea-linked activity, keeping private keys and user-side compromise in focus.

Jamf described the password-validation workflow as a “quieter routine” because PamStealer checks the entered password locally through PAM without spawning the common verification processes defenders often monitor.

The disclosure follows a wider run of endpoint and wallet-security warnings. Daily Crypto Briefs recently covered record H1 crypto hacks and earlier fake-wallet concerns around Ledger and Trezor users. PamStealer is a narrower Mac case, but the target surface is the same: user devices that sit between a wallet, a browser and a recovery phrase.

The clearest implication is operational rather than market-wide. Crypto assets do not need a protocol exploit to be at risk if malware can read browser databases, clipboard contents, keychain-linked material or files that users wrongly treat as private.

Bitcoin

BTC
June 5 to July 5, 2026
$62,724
-1.7%
Jun 5 - Jul 5 | High $65,599 Low $59,713

PamStealer Turns Maccy Into a Mac Lure

Jamf said the first stage arrives as a compiled AppleScript file named Maccy.scpt inside a disk image. Because macOS opens that file type in Script Editor, the attacker can show branded instructions while hiding the real code far down the document.

The social-engineering step is simple. The victim is told to run the script, which lets the AppleScript execute its embedded payload even if the file still carries Apple’s quarantine attribute.

Jamf also found homoglyphs in the lure text. Greek and Cyrillic characters were used inside the displayed Maccy name, making the visible word look normal to a human while frustrating simple text matching.

The dropper then uses JavaScript for Automation and native Objective-C APIs to download, stage and launch the second stage. Jamf said this avoids many shell commands commonly seen in Mac stealers, reducing visible process creation.

The payload stages itself as a fake built-in Mac component, including Finder.app or Software Update.app names in observed variants. It uses ad-hoc signing, launches hidden and leaves a marker file named .Maccy.

That is where the campaign differs from ordinary fake-app scams. The victim may think a downloaded utility failed to open, while a hidden process is already running under a name that looks like part of macOS.

Mac Malware Reaches Ethereum RPCs

The second stage is a stripped Apple silicon Mach-O written in Rust, according to Jamf. The firm said Rust remains less common in macOS stealers than Swift, Go or Objective-C, which makes this sample more notable for defenders tracking commodity malware evolution.

The stealer reads database files through bundled SQLite logic, a standard route for browser credentials, cookies and wallet-extension stores. It also loads Security.framework at runtime, which can make keychain access less obvious in static inspection.

Clipboard theft is central to the risk. Jamf observed PamStealer repeatedly spawning the built-in pbpaste utility, with reads recurring from under 10 seconds to roughly a minute and a half apart. Crypto users often copy addresses, passwords or temporary wallet data through the clipboard, making that behavior directly relevant even before a seed phrase is involved.

Jamf recovered a decrypted configuration object that included two public Ethereum JSON-RPC endpoints: eth.drpc.org and ethereum-rpc.publicnode.com. The firm also said a firewall recorded the second-stage process, running as Finder, connecting to ethereum-rpc.publicnode.com.

The exact purpose was not immediately clear. Jamf said it did not capture the specific calls, so the endpoint activity could point to resilient command-and-control, wallet reconnaissance or another blockchain-linked function that has not been proven from the available traffic.

That uncertainty is important. Ethereum itself was not shown to be compromised, and public RPC providers were not accused of wrongdoing. The relevant fact is that malware on an infected Mac reached blockchain infrastructure while also targeting data stores and clipboard material.

Crypto Wallet Risk Moves to the Clipboard

PamStealer’s name comes from its password behavior. The stealer shows a native-looking Mac password prompt, validates what the victim enters through PAM and keeps prompting until it gets a correct password.

Once it has a valid password, Jamf said the malware shows a fake damaged-app alert, telling the victim that Maccy cannot be opened and should be moved to the Trash. That decoy appears after the payload has already run, captured the password and registered persistence.

The malware later tries to expand access with a counterfeit Finder alert that opens System Settings to the Full Disk Access pane. In Jamf’s testing, that prompt sometimes appeared as long as 40 minutes after launch, making it harder for a user to connect it to the earlier fake app.

If the victim grants access, the fake Finder bundle can read more protected locations, including other app data, Mail, Messages and Time Machine backups. For crypto users, that makes local note files, exported wallet backups and screenshots part of the risk surface.

The pattern matches a broader threat that Microsoft warned about in its macOS infostealer research: fake apps and social prompts can steal cryptocurrency wallets, browser passwords, cloud credentials and developer keys without needing to break the underlying protocols.

Daily Crypto Briefs has also tracked security incidents where the first weak point was not token design but operational exposure, including more than $605 million in platform attacks. The wallet boundary fails when the host device, clipboard or key-handling workflow is already under attacker control.

Market sentiment remains weak, leaving security headlines more likely to feed caution than complacency. Alternative.me’s Crypto Fear and Greed Index stood at 23, or Extreme Fear, on July 5.

Fear & Greed Index

July 5, 2026
23 Extreme Fear

The next signals are whether Jamf or other researchers identify wider distribution, confirmed victims, additional variants or wallet-specific calls to Ethereum RPC endpoints. Until then, the narrow finding is already clear: Mac crypto users who trust a fake download, run a script and grant system prompts can lose the security boundary before a wallet transaction ever appears onchain.

Stay up to date

Get the latest crypto insights delivered to your inbox

Fact-checked by: Daily Crypto Briefs Fact-Check Desk

Frequently Asked Questions

What is PamStealer?

PamStealer is a macOS infostealer tracked by Jamf Threat Labs that impersonates the legitimate Maccy clipboard manager and uses a two-stage attack chain.

Does PamStealer target crypto wallets?

Jamf said the malware's database theft behavior matches browser credential, cookie and wallet-extension data collection, and it found Ethereum RPC endpoints in the stealer configuration.

Did Jamf prove what PamStealer did with Ethereum RPC calls?

No. Jamf observed a connection to an Ethereum RPC endpoint but said it did not capture the specific calls, leaving the exact blockchain purpose unresolved.

Why does the fake Maccy site matter?

The fake domain maccyapp.com impersonated the real Maccy project at maccy.app, turning a trusted Mac utility search into a malware-install path.

What should Mac crypto users watch after PamStealer?

Use official download sources, avoid running unexpected scripts, review login items, watch for fake Finder or System Settings prompts, and never store seed phrases or wallet backups in clipboard-accessible files.