English HomeApple NewsTech NewsArabic Home
Rumor

'CrashStealer' malware poses as an Apple tool to steal passwords & Mac data

AppleInsider • Mon, 13 Jul 2026

'CrashStealer' malware poses as an Apple tool to steal passwords & Mac data

CrashStealer, a newly documented Mac infostealer, used an Apple-notarized meeting app to reach victims before stealing passwords, browser data and cryptocurrency credentials behind a fake system prompt. CrashStealer fake password prompt Jamf Threat Labs first spotted a suspicious sample on VirusTotal in early May and began seeing matching detections on customer Macs in early July. Further analysis traced the malware to a signed and Apple-notarized first-stage application called Werkbit, giving researchers a clearer view of how the campaign reached victims. Werkbit carried a valid Developer ID associated with Emil Grigorov and passed Gatekeeper without an unidentified-developer warning. Apple has since revoked the signing credentials associated with the malicious application after Jamf shared its findings with the company's security team. Jamf found no zero-click stage in the samples it analyzed. A victim still had to download and launch Werkbit, allow the delivery chain to run and enter a valid Mac password before CrashStealer could reach its most valuable targets. Continue Reading on AppleInsider | Discuss on our Forums

What happened?

CrashStealer, a newly documented Mac infostealer, used an Apple-notarized meeting app to reach victims before stealing passwords, browser data and cryptocurrency credentials behind a fake system prompt. CrashStealer fake password prompt Jamf Threat Labs first spotted a suspicious sample on VirusTotal in early May and began seeing matching detections on customer Macs in early July. Further analysis traced the malware to a signed and Apple-notarized first-stage application called Werkbit, giving researchers a clearer view of how the campaign reached victims. Werkbit carried a valid Developer ID associated with Emil Grigorov and passed Gatekeeper without an unidentified-developer warning. Apple has since revoked the signing credentials associated with the malicious application after Jamf shared its findings with the company's security team. Jamf found no zero-click stage in the samples it analyzed. A victim still had to download and launch Werkbit, allow the delivery chain to run and enter a valid Mac password before CrashStealer could reach its most valuable targets. Continue Reading on AppleInsider | Discuss on our Forums

Story details

CrashStealer, a newly documented Mac infostealer, used an Apple-notarized meeting app to reach victims before stealing passwords, browser data and cryptocurrency credentials behind a fake system prompt.

CrashStealer fake password prompt Jamf Threat Labs first spotted a suspicious sample on VirusTotal in early May and began seeing matching detections on customer Macs in early July.

Further analysis traced the malware to a signed and Apple-notarized first-stage application called Werkbit, giving researchers a clearer view of how the campaign reached victims.

Why it matters

This page keeps Apple rumors separate from official updates, so readers can follow early reports without confusing them with confirmed announcements.

Original source

https://appleinsider.com/articles/26/07/13/crashstealer-malware-poses-as-an-apple-tool-to-steal-passwords-mac-data?utm_source=rss