A strain of Mac malware discovered by security researchers at Jamf Threat Labs has successfully bypassed Apple’s app verification system by disguising itself as a built-in macOS utility.
The malware, called CrashStealer, targets stored passwords, cryptocurrency wallets, and browser data, and it was found actively circulating in July 2026.
The delivery mechanism is what sets this apart from typical Mac threats. CrashStealer arrived bundled inside an app called Werkbit, which carried valid Apple notarization credentials.
Notarization is the process Apple uses to scan and approve software before it reaches users, and its presence is what allows an app to bypass Gatekeeper, the macOS security layer that blocks unverified software at launch.
What CrashStealer Actually Collects
Once installed, the malware deploys a fake version of CrashReporter, a legitimate Apple diagnostic tool that ships with every Mac. Because most users have seen real macOS crash reports, the interface looks credible.
The app requests full disk access under the pretense of system administration, then presents a native-looking password prompt. Whatever the user types is used to unlock the login keychain, where macOS stores saved credentials.
From there, CrashStealer searches the Documents and Downloads folders and scans for data across more than 80 cryptocurrency wallet browser extensions.
It also targets 14 password managers specifically, including 1Password, LastPass, and Dashlane. Collected data is encrypted and transmitted to a remote server controlled by the attacker.
How Apple Responded and What Still Applies
Jamf reported the malware to Apple after first detecting it in May. Apple has since revoked Werkbit’s signing credentials, disabling the specific distribution path that Jamf documented.
The original version also required a PIN to install, suggesting it was deployed against specific targets rather than distributed broadly.
Revoking credentials closes that channel, but the underlying technique remains viable. A similar app built on the same approach could surface with fresh credentials.
Jamf noted that the construction of CrashStealer showed deliberate effort to avoid detection, with concealment steps that go beyond what most infostealer malware bothers to include.
Two Things That Should Stop Any Mac User
Apple’s crash reporting tool is part of macOS itself. It does not arrive as a separate download, and no legitimate software installer should deliver a file called CrashReporter.
Any app that does that is worth deleting immediately. Separately, an app that requests a system password the moment it opens, before doing anything else, is behaving in a way that standard software does not. Together, those two signals are a reliable indicator that something is wrong.