Mac users are being warned about a new strain of malware called CrashStealer that disguises itself as Apple's own crash reporting tool while quietly draining passwords, browser data, password manager vaults and cryptocurrency wallets from infected machines.
How CrashStealer Disguises Itself as Apple
Security firm Jamf identified this macOS infostealer, and its biggest strength is how convincing it looks. The malware goes by the name CrashReporter.app, carries a recognizable icon and metadata that mimic Apple's real diagnostic tool, and is delivered through a dropper that has actually been signed and notarized by Apple. That notarization step is normally meant to reassure users that an app has passed Apple's security checks, which makes this campaign especially deceptive.
Targets first encounter CrashStealer on a fake software website that promotes a meeting platform called Werkbit. The site requires a PIN before the installer can even be accessed, adding another layer that makes the download feel legitimate rather than suspicious. Once downloaded, the installation process looks like installing any other ordinary application. The entire campaign leans on social engineering, tricking people into willingly adding the payload to their own Mac rather than exploiting a technical vulnerability. Its underlying technical setup is also built to slip past macOS's built in anti-malware detection tool, so the system itself does not flag the app as dangerous.
A Fake Password Prompt Does the Real Damage
Once CrashStealer runs, it pretends to be Apple's legitimate crash reporter and throws up a prompt that looks identical to the standard macOS request asking permission to make changes to system preferences. The prompt asks the user to type in their password to allow those changes. Behind the scenes, the malware checks that password locally, and if the entry is wrong, it simply displays the same prompt again and again until the correct password is typed in.
That persistence matters because once the malware has the actual system password, attackers can unlock the user's Keychain, the encrypted vault macOS uses to store sensitive information. That single unlock exposes everything kept inside it, including wifi passwords, app passwords, certificates and authentication tokens, essentially handing over the keys to a huge portion of a person's digital life in one step.
Browsers, Password Managers and Crypto Wallets Are All Targets
CrashStealer does not stop at the Keychain. It also goes after files stored in the Documents and Downloads folders, along with saved credentials and cookies from Firefox and Chromium based browsers. It is built to pull data from 14 separate password managers, including widely used apps such as 1Password, Bitwarden, LastPass, Dashlane, NordPass and Keeper. On top of that, it targets 80 different cryptocurrency wallet extensions, putting crypto holdings directly in the line of fire.
After collecting all of this, the malware encrypts the stolen data, packages it into a hidden ZIP archive, and uploads that archive to the attackers' own servers, leaving little trace behind for the victim to notice.
How to Keep Your Mac Safe From CrashStealer
It is not entirely clear exactly how attackers are distributing this specific malware, but the campaign shows how sophisticated these operations have become, often raising very few obvious red flags along the way. The safest approach is caution: if there is any doubt about the origin or legitimacy of an app or piece of software, it should not be installed. Anyone who suspects malware may already be running on their device should look into proper detection and removal steps rather than ignoring the possibility.
It also helps to stay alert to any system process that asks for a password before running, since this is an action many people carry out routinely without thinking twice about it. In the specific case of CrashStealer, it is worth remembering that genuine crash reports and diagnostics sent to Apple never require a password. Users may be asked whether they want to share that information, but there is no legitimate reason they should ever need to authenticate that choice with their system credentials.











