CrashStealer Hits MacOS, Stealing Keychains and Crypto Wallets via Apple-Like CrashReporter
Updated
Updated · ZDNet · Jul 15
CrashStealer Hits MacOS, Stealing Keychains and Crypto Wallets via Apple-Like CrashReporter
3 articles · Updated · ZDNet · Jul 15
Summary
Jamf said CrashStealer has now been released into the wild, posing as Apple’s crash reporter to steal MacOS data, account credentials, keychain entries and cryptocurrency wallets.
CrashReporter.dmg and CrashReporter.app mimic a legitimate Apple tool, then show a fake password prompt to unlock the keychain, validate stolen credentials locally and send encrypted data to an attacker-controlled server.
A signed, Apple-notarized “Werkbit Setup” dropper helps the malware clear Gatekeeper on first launch, making the disk image appear trustworthy despite installing a malicious payload.
Researchers said users can cut risk by checking .dmg download sources, scrutinizing unexpected password prompts and keeping MacOS updated as infostealers spread through social engineering and AI-laced lures.
Is the CrashStealer malware just the tip of the iceberg in a massive multi-platform attack?
With notarized malware bypassing Gatekeeper, is the fortress of macOS security starting to crumble?
2026 macOS Security Breach: CrashStealer Malware Exploits Notarization to Steal Keychain and Crypto Data
Overview
CrashStealer is a newly discovered macOS infostealer malware that appeared in July 2026, posing a major threat by bypassing Apple’s Gatekeeper security. It achieves this by using a signed and notarized dropper application, allowing it to run on Macs without triggering any warnings. Once active, CrashStealer tricks users with a fake macOS password prompt. When users enter their administrator password, the malware uses it to unlock the Keychain, where sensitive data like Safari logins, Wi-Fi passwords, and cryptographic keys are stored. This stolen information is then packaged into a ZIP archive and sent to the attackers, making CrashStealer both stealthy and dangerous.