Researchers have uncovered a new macOS malware strain called CrashStealer, designed to capture passwords and browser data from infected systems.
Initial activity was observed in early May as a developing infostealer, with full deployment confirmed by early July. The malware disguises itself as Apple’s native crash reporting tool to deceive users.
CrashStealer is delivered through a seemingly benign meeting application named Werkbit. The dropper carries a valid Apple notarization ticket and developer identifier, giving it an appearance of legitimacy.

Upon execution, the dropper retrieves a disk image titled CrashReporter.dmg, which contains the CrashReporter.app bundle. The application presents a password prompt that mimics the standard “System Preferences wants to make changes” dialog, complete with Apple‑style graphics.
After gaining access, the malware scans for data across a wide range of browsers—including Brave, Chrome, Edge, Opera and Vivaldi—as well as cryptocurrency wallets such as MetaMask, Coinbase and Phantom, and popular password managers like 1Password, Bitwarden and LastPass.
Apple has revoked the compromised developer credentials to hinder further distribution. Users should remain vigilant for unexpected system password requests and avoid installing software from unverified sources.





