
Mac malware CrashStealer masquerades as Apple crash reporter to steal secrets
Jamf Threat Labs warns about CrashStealer, a macOS malware that pretends to be Apple’s crash reporting tool via a fake notarized app named Werkbit. It targets over 80 cryptocurrency wallet extensions and 14 password managers (such as 1Password, LastPass, and Dashlane), searches Documents and Downloads for data, and prompts for full-disk access and a system password to access the login keychain. The stolen data is encrypted with AES-256-GCM and sent to the attacker. Apple revoked Werkbit’s signing credentials, but the attack vector shows how notarization can be abused, and the threat could reappear; users should avoid apps that prompt for a password or claim to be CrashReporter.
