Loading article…
CrashStealer, a notarized macOS infostealer, bypasses Gatekeeper and extracts credentials from 80 crypto wallets and 14 password managers – learn how it works
CrashStealer, a new macOS infostealer signed with a valid Apple developer ID, masquerades as the system’s CrashReporter and has already harvested credentials from dozens of crypto wallets and password managers, exposing a gap in macOS’s Gatekeeper defenses [1].
At a glance |
|---|---|
| Malware name | CrashStealer |
| Distribution method | Signed, notarized “Werkbit Setup” DMG |
| Data targeted | Keychain, browsers, 80 crypto wallets, 14 password managers |
| Bypass technique | Valid Developer ID + notarization ticket |
Jamf Threat Labs traced the infection chain to a disk image named “Werkbit Setup” that carries a legitimate‑looking installer called CrashReporter.app. Because the dropper is signed with a purchased Apple developer certificate and notarized, macOS Gatekeeper lets it run without warning, a step most infostealers skip due to the cost of a certificate [3]. Once executed, the installer creates a LaunchAgent (com.apple.crashreporter.helper) and presents a native‑style password prompt that tricks users into unlocking their Keychain. The malware then exfiltrates the unlocked secrets to a remote server, pulling browser cookies, credentials, and data from more than 80 cryptocurrency wallet extensions and 14 popular password managers such as 1Password and LastPass [1][2].
The use of a signed, notarized dropper marks a shift from typical Mac malware, which often relies on unsigned binaries that trigger Gatekeeper alerts. By purchasing a developer certificate, the attackers reduce user friction and increase the likelihood of successful installations, as noted by Jamf’s director Jaron Bradley [3]. The payload’s client‑side AES‑GCM encryption and anti‑debugging tricks further complicate detection, distinguishing CrashStealer from earlier macOS threats like AMOS or MacSync [3]. Although the malware skips large files to keep exfiltration volumes low, the breadth of data it harvests—especially crypto wallet keys—poses a significant financial risk to affected users.
The emergence of CrashStealer underscores that even macOS’s reputation for strong security can be undermined by attackers willing to invest in legitimate‑looking certificates, forcing users and defenders to scrutinize every installer, even those that appear Apple‑approved.
Coverage is mostly measured — 140 of 143 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 4 outlets · Jul 15, 2026 · How we report
CrashStealer is a macOS infostealer that masquerades as Apple's crash reporter, stealing credentials, keychain data, and cryptocurrency wallet information, and it can bypass Gatekeeper due to a valid Developer ID and notarization.
Gizmodo reports that the Apple Watch Series 11 is discounted by 25%, reducing the price from $399 to $299 for a limited time.
The Series 11 features a new Liquid Glass design with more fluid animations and updated Smart Stack widgets for quick access to activity stats, reminders, and weather.