
CrashStealer macOS infostealer fakes Apple’s crash reporter to swipe credentials and crypto wallets
A new macOS information-stealing malware named CrashStealer disguises itself as Apple’s CrashReporter to harvest Keychain data, browser credentials, and more than 80 crypto wallet extensions. Delivered via a signed, Apple-notarized dropper and launched with a fake system prompt, it exfiltrates encrypted data (AES-256-GCM) to a C2 server after collecting files from user directories. Researchers note its stealthy, self-re-signing persistence and its distinct client-side encryption and native C++ implementation, with the campaign gated behind a PIN and active since May 2026.

