• 2 min read
CrashStealer hits Macs by posing as Apple’s crash reporter
Jamf says a new Mac infostealer called CrashStealer is now in the wild, using a fake Apple crash reporter to steal passwords, keychain data, and crypto wallets.

Image: ZDNET
A newly spotted MacOS infostealer is disguising itself as Apple’s crash reporting tool to steal data, account credentials, keychain entries, and cryptocurrency wallets. In a July 13 research advisory, Jamf said the malware, dubbed CrashStealer, is a C++ infostealer that appeared to be in development around May and has now been released into the wild.
CrashStealer imitates the legitimate pop-up Mac users see after an app crashes. According to Jamf, it uses the names CrashReporter.dmg for installation and CrashReporter.app for the application bundle, along with a convincing icon, to look like a real Apple utility.
Once on a system, the malware shows a fake password prompt designed to mimic a genuine MacOS authorization request and tries to unlock the keychain. Jamf said the malware validates stolen credentials locally, then targets installed password managers, browsers, and cryptocurrency wallets. The stolen data is sent to an attacker-controlled server in an encrypted package.
What stands out is how the malware gets in. Jamf said the main .dmg file is distributed as “Werkbit Setup,” a signed and Apple-notarized dropper that packages CrashReporter.dmg.

Recommended reading
OpenAI’s first gadget is a $230 coding keypad
“Because the dropper carries a valid Developer ID and a stapled notarization ticket, it clears Gatekeeper on first launch, in contrast to the ad-hoc-signed payload it installs,” the researchers note.
That means the initial installer can appear trustworthy and pass Gatekeeper checks before it drops the malicious payload.
ZDNET points to three habits that reduce the risk:
- Check the source of any .dmg file, especially if it is cracked or pirated software
- Be wary of unexpected password prompts, particularly when no legitimate app action should require one
- Keep MacOS updated, since OS and app updates often include security fixes
The report also notes other Mac attack paths, including ClickFix social engineering and malware distributed through poisoned AI chatbot conversations, as seen with Atomic MacOS Stealer.
Computing Editor
Tomas lives in the terminal. He covers chips, laptops, and operating systems with a focus on performance and efficiency. He reads kernel changelogs the way other people read fiction, and he's always on the hunt for the perfect mechanical keyboard switch. If it processes data, Tomas has an opinion on it.
via ZDNET


