• 2 min read
CrashStealer slipped past macOS defenses to steal passwords
Jamf says CrashStealer posed as an Apple crash tool, bypassed Gatekeeper via a notarized app, and targeted keychains, browsers, and crypto wallets.

Image: MacRumors
Mac users are being warned about a piece of macOS malware called CrashStealer that disguised itself as an Apple system utility to steal sensitive data, according to Jamf Threat Labs.
Jamf said the malware impersonates Apple’s crash reporting framework and was first seen inside a fake Apple-notarized app called Werkbit. Because the app was notarized, it was able to get past Gatekeeper, Apple’s macOS security feature.
CrashStealer is built to pull a wide range of information, including:
- browser data
- password manager data
- keychain data
- cryptocurrency wallet extensions
Jamf said it specifically targets more than 80 cryptocurrency wallet extensions and 14 password managers, including 1Password, LastPass, and Dashlane. It also searches the Documents and Downloads folders for files worth stealing.
The malware uses a familiar macOS installation flow to appear legitimate. Through Werkbit, it downloads a fake CrashReporter.app designed to look like Apple’s own crash reporting tool. When launched, it asks for full disk access “for system administration” and presents a native-looking macOS password prompt. That password is then used to access the login keychain.

Recommended reading
AI won’t replace penetration testers just yet
Jamf said the stolen data is encrypted with AES–256-GCM using Apple’s CommonCrypto framework before being sent to the attacker’s IP address.
“shows real care”
Jamf first spotted the malware in May and found it in active use in July. After being notified, Apple revoked the Werkbit app’s signing credentials, disabling the specific delivery method Jamf described. But the researchers warned the malware could return in another form. The original version was protected by a PIN required for installation, a sign it may have been aimed at specific targets.
Jamf’s advice is straightforward: Apple’s CrashReporter is built into macOS, so any downloaded app claiming to be CrashReporter is a warning sign. An app that asks for a system password immediately after launch should also be treated with suspicion.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via MacRumors


