Lisbon · Wednesday, 15 Jul 2026 NB Edition · Nº 080
← Back to news
Cibersegurança · macOS NB-L080

Mac malware clears Apple's security check to steal passwords and crypto wallets

A macOS data stealer, CrashStealer, reached victims carrying Apple's notarization seal and cleared Gatekeeper without alerts. Jamf Threat Labs explains how it works and what it steals.

Mac malware clears Apple's security check to steal passwords and crypto wallets
FIG. NB-L080 · Cibersegurança · macOS

Jamf Threat Labs, the threat research team at the Apple device management company, disclosed on 13 July 2026 a new piece of macOS malware it named CrashStealer. According to the research, the program harvests passwords, files and cryptocurrency wallets from the Macs it infects, and it reached its victims after clearing Apple's own security check.

What makes CrashStealer notable lies less in what it steals than in how it gets in. Before letting an app downloaded from the internet run, macOS performs an automatic check, Gatekeeper, which only opens without warnings the software Apple has already reviewed and approved, a process the company calls notarization. CrashStealer arrived carrying that seal.

The first file the victim receives is a signed, notarized disk image named "Werkbit Setup," tied to a valid developer identity, "Emil Grigorov (WWB7JA7AQV)." Because it is notarized, it clears Gatekeeper without any alert. That file is only the bait (dropper), which downloads and launches CrashStealer from the attackers' infrastructure.

A program that poses as Apple

According to Jamf, CrashStealer is written in native C++, unlike most Mac data stealers, which rely on AppleScript droppers or Objective-C wrappers. Once on the system, it poses as Apple's crash-reporting tool, installing itself as a startup component named "com.apple.crashreporter.helper" and making sure it runs on every boot. Before collecting anything, it validates the victim's login password locally, which unlocks the system's protected vaults.

What it looks for on your Mac

The target list is long. According to Jamf, CrashStealer combs the main browsers, among them Chrome, Brave, Edge, Opera, Vivaldi, Safari and Firefox, and goes after roughly 80 cryptocurrency wallet extensions, such as MetaMask, Phantom, Coinbase and Trust Wallet. It also collects data from 14 password managers, including 1Password, Bitwarden and LastPass, the credentials stored in the macOS keychain, and files from the Documents and Downloads folders. Everything it grabs is encrypted with AES-256-GCM and sent to an attacker-controlled server through the libcurl library.

Targeted delivery and a report to Apple

There are important limits to the attack. Distribution was not mass-scale. The "Werkbit Setup" file was served from the domain werkbit[.]io, registered in late June 2026, and access was protected by a meeting PIN, which restricts the download to whoever arrives with the right code. The operation was therefore aimed at chosen targets, not scattered at random. After confirming that the developer identity had been used to distribute malicious software, Jamf Threat Labs reported it to Apple. It is now up to Apple to decide whether to invalidate those credentials, the step that would block the files already known.

The episode exposes the underlying tension of a trust-based model. Notarization lowers the risk of opening unknown software, but it is no guarantee that a program is safe, only that it passed an automated review. For anyone using a Mac, the practical caution stands: be wary of installers received through closed channels or from outside the App Store, even when they open without warnings.

Sources: Jamf Threat Labs, The Hacker News.

#StaySafe
🙏🖖

Keep reading

More stories

See all →
It doesn't hide from the AI that hunts it: it talks the AI into closing the case
Cibersegurança · IA

It doesn't hide from the AI that hunts it: it talks the AI into closing the case

SentinelLabs found a piece of Mac malware that hides 38 fake messages in its own code to convince the AI analyzing it to...

4 MIN · 26 Jun 2026 · NB-L056
27 million stolen passwords recovered: police hit the factory behind cybercrime, not its customers
Cibersegurança · Infostealer

27 million stolen passwords recovered: police hit the factory behind cybercrime, not its customers

Operation Endgame recovered 27 million stolen passwords and took down 326 servers. The target wasn't a ransomware gang:...

4 MIN · 24 Jun 2026 · NB-L054
It poses as your phone's antivirus to steal your bank, your SMS codes, and your crypto
Cibersegurança · Android

It poses as your phone's antivirus to steal your bank, your SMS codes, and your crypto

A new Android trojan, Rokarolla, targets 217 banking and crypto apps and gives the attacker near-total control of the ph...

4 MIN · 18 Jun 2026 · NB-L042
Weekly · No spam

The Boletim

A weekly summary of the cybersecurity, AI and technology stories that matter — written to be read in five minutes.

Unsubscribe with one click, any week.
BRI assistant

Quer saber sobre um projeto, um serviço ou uma notícia recente? Pergunte. Conheço todo o conteúdo deste site.