PamStealer: Rust-based macOS infostealer that validates credentials through PAM
A new Rust-based macOS infostealer named PamStealer has been discovered. It targets user credentials by validating them through the Pluggable Authentication Module (PAM) and exfiltrates stolen data from infected systems.
Background
- PamStealer is newly discovered macOS malware written in Rust. It's an "infostealer" — it steals passwords, credentials, and files from infected Macs.
- Its key novelty: it validates stolen passwords using PAM (Pluggable Authentication Modules), macOS's low-level authentication system. This lets the malware check that a password is actually correct before stealing it, avoiding dead or fake credentials that might tip off security tools.
- The report comes from Jamf, a major Apple-focused enterprise security firm whose threat research team regularly discovers new macOS malware. The audience is IT admins and security pros managing Mac fleets.
- macOS infostealers are growing more common as Apple's business market share rises. Recent examples include Atomic Stealer and MacStealer. Rust is also a growing trend in malware — it's harder to reverse-engineer and more portable across platforms.