When an app crashes, macOS offers to send an error report to Apple – a familiar process. A new piece of malware mimics this process: it requests the Mac password and then accesses the keychain, password manager, and cryptocurrency wallets. This trick only works with the help of a tool that is currently barely noticeable.
macOS is considered stable, but every now and then an app crashes, and the system offers to send a diagnostic report. The security firm Jamf Threat Labs has discovered malware that spoofs this process and steals the login password. Anyone who enters it grants the software access to a large portion of their personal data. This tactic demonstrates once again that a Mac is not a free pass against attacks – how to protect Apple devices from malware in general remains a fundamental question of personal security.
This is how the attack unfolds
The malware is known as CrashStealer by Jamf. Initial contact is not random, but occurs via a disguised meeting app called "Werkbit," which is distributed as supposed video conferencing software. The download is protected with a meeting PIN – an indication that the attackers are sending the file to targeted victims, for example via fake invitations to alleged job interviews, rather than distributing it widely.
An automated infection does not occur. The victim must download and launch the app and then enter their Mac password. Only then does the software install a second component in the background, masquerading as Apple's crash reporting tool – complete with a fitting name, icon, and the internal identifier com.apple.crashreporter. A password dialog, styled like macOS, appears on the screen, with accompanying text that disguises the extensive system access as purely maintenance-related.
What the software collects
The malware first verifies the entered password locally using a built-in macOS tool. If it's correct, it unlocks the login keychain and copies it to a hidden folder. From there, access expands to include browser data such as saved logins and cookies, approximately 14 password managers – including 1Password, Bitwarden, LastPass, Dashlane, and Keeper – and around 80 crypto wallets such as MetaMask, Phantom, and Coinbase. It also scans the "Documents" and "Downloads" folders for usable files.
CrashStealer encrypts the collected data directly on the device before it is sent to an external server. The software also embeds itself in such a way that it restarts every time the user logs in. Jamf also discovered Windows versions of the same campaign – meaning the attackers are targeting multiple platforms, not just Macs.
Why Gatekeeper didn't initially trigger
Particularly concerning is the method the attackers used to circumvent macOS's security mechanisms. The "Werkbit" app was signed with a valid Apple developer ID and notarized by Apple – even the disk image itself bore a signature, which is unusual for malware. As a result, the file passed the Gatekeeper check on first launch without any warning.
After Jamf reported the discovery, Apple revoked the misused developer credentials. The known variant should now be detected and blocked by Gatekeeper. This mitigates the specific case, but doesn't negate the underlying lesson: A valid Apple signature alone is not proof of trustworthiness.
This is how the attack can be repelled
A simple warning sign can help in everyday life: Apple's genuine crash reporting tools are already part of macOS. A file called CrashReporter.dmg, which is offered for download, is not one of them and should raise suspicion. It's also worth taking a second look at any password dialog that requires extensive system changes – especially if it appears in connection with a newly installed app.
The most reliable protection remains downloading programs only from the Mac App Store or from the websites of trusted developers, and critically examining invitations to unknown meeting apps. Since the attack targets the entered password, consistently active two-factor authentication for your Apple account is also helpful: even stolen login credentials are then significantly less valuable to an attacker. Those who want to avoid using a reusable password altogether can use Passkeys on Apple devices, a method that cannot be intercepted via a fake dialog box.
Signed software is not a license to do free speech
CrashStealer is not a mass attack, but a targeted, elaborately constructed campaign – and that's precisely what makes it such a textbook example. The attackers obtained a genuine developer ID, had their malware notarized, and narrowed the crucial moment down to a single user action: entering the password in a deceptively realistic dialog box. Anyone who pauses at this point undermines the entire scheme. (Image: Shutterstock / AIBooth)
- Nine new emojis are planned: Pickle, Lighthouse and Meteor
- China releases Apple Intelligence – with Qwen and Baidu
- OpenAI sees no evidence to support Apple's theft claim
- Apple Watch exempt from the EU battery replacement requirement
- Apple grows by 24 percent in China against the market trend
- Apple TV shows the trailer for "Mayday" starring Ryan Reynolds
- Madden NFL 27 launches on August 6th on Apple Arcade
- Apple rejects Epic's objections to the procedural pause
- WhatsApp is working on a backup alternative to iCloud
- iOS 26.6 warns of harmful messages



