AppleInsider A.I CyberSecurity Scoring
AppleInsider
Company Information
Website:http://appleinsider.com
Employees number:16
Number of followers:3,354
NAICS:519131
Industry Type:Online Audio and Video Media
Homepage:appleinsider.com
AppleInsider Risk Score (AI oriented)
Between 700 and 749
AppleInsiderOnline Audio and Video Media
Updated:
13/07/2026
13/07/2026
702/1000
Moderate
Ba
AppleInsider Global Score (TPRM)
xxxx
AppleInsiderOnline Audio and Video Media
Score locked

AppleInsiderModerate
Current Score
702Ba (MODERATE)
01000
4 incidents
-20 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
721
Cyber Attack
03 Jul 2026 • AppleInsider
Apple: PamStealer macOS Infostealer Uses PAM API to Verify Stolen Passwords
PamStealer: A Novel macOS Info-Stealer Targeting Apple Silicon Users
701
CRITICAL-20
APP1783088630
PamStealer: A Novel macOS Info-Stealer Targeting Apple Silicon Users
Researchers at Jamf Threat Labs have uncovered PamStealer, a newly identified macOS information stealer that employs a unique credential-verification technique to ensure attackers receive only validated login passwords. The malware spreads via a fake website impersonating Maccy, a legitimate open-source clipboard manager, and specifically targets Apple Silicon Mac users.
### Infection Chain & Technical Sophistication
The attack begins at maccyapp[.]com, a spoofed domain mimicking the official Maccy site (maccy[.]app). Victims who download the malicious disk image receive a compiled AppleScript file disguised as the clipboard tool. The first stage performs environment-aware fingerprinting, collecting system details such as CPU architecture, locale, and timezone. Only Apple Silicon devices that meet predefined criteria proceed to the second stage, reducing exposure to security analysis.
Stage two delivers a Rust-based infostealer, chosen for its ability to evade static analysis tools optimized for Objective-C and Swift binaries. The payload harvests browser passwords, cookies, autofill data, cryptocurrency wallet files, and system configuration details before exfiltrating them to attacker-controlled infrastructure.
### PAM API Verification: A First for macOS Stealers
PamStealer’s defining feature is its use of macOS’s Pluggable Authentication Modules (PAM) API to validate stolen credentials. When prompting victims for their login password via a native-looking dialog ("Maccy wants to make changes"), the malware internally verifies the input using pam_authenticate. Only passwords that pass this check are transmitted, ensuring attackers receive confirmed working credentials unlike traditional phishing methods that capture typos or incorrect entries.
### Targeted Users & Mitigation
The campaign exploits users seeking privacy tools, particularly iCloud+ subscribers who may download software from third-party sources. The legitimate Maccy developer has issued warnings on its official site and GitHub, confirming maccy[.]app as the sole trusted download source. Users who entered their password into the fake dialog are advised to rotate credentials, revoke browser sessions, and audit cryptocurrency wallets.
Jamf Threat Labs has released indicators of compromise, noting that detection at the AppleScript dropper stage is critical, as the Rust payload executes only on qualifying hosts. Security teams should monitor for compiled .scpt files in disk images from non-App Store sources and outbound connections from newly executed Rust binaries.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2026
721
MAY 2026
739
Cyber Attack
01 May 2026 • AppleInsider
1Password and Apple: New macOS Stealer Mimics Apple’s Crash Report Framework to Steal Browser Credentials
CrashStealer: Sophisticated macOS Infostealer Mimics Apple Utilities to Steal Credentials and Crypto Wallets
719
CRITICAL-20
APP1PA1783967437
CrashStealer: Sophisticated macOS Infostealer Mimics Apple Utilities to Steal Credentials and Crypto Wallets
In early May 2026, cybersecurity firm Jamf identified a suspicious macOS infostealer on VirusTotal, initially appearing as a work-in-progress. By July, the malware dubbed CrashStealer had evolved into an actively deployed threat, designed to harvest browser credentials, cryptocurrency wallets, password manager data, and Keychain contents before encrypting and exfiltrating the stolen information to a remote command-and-control (C2) server.
Unlike typical macOS stealers built on AppleScript or Objective-C, CrashStealer is written in native C++, leveraging an internal class called MacOSData for efficiency and stealth. Its development marks a shift toward more professionalized macOS malware, aligning with trends observed in threats like Atomic (AMOS), MacSync, and Phexia though with distinct technical advancements.
### Infection Chain and Evasion Tactics
CrashStealer spreads via a signed disk image ("Werkbit Setup"), a rarity in malicious DMG campaigns, which includes a notarized application bundle to bypass Gatekeeper. Upon execution, the dropper fetches an obfuscated shell script from GitHub, decodes multiple Base64 layers, and deploys the payload disguised as "CrashReporter.app" complete with Apple’s bundle identifier and icon.
Once active, the malware:
- Validates the victim’s login password via `dscl`
- Unlocks the Keychain and profiles installed security tools
- Targets Chromium-based browsers (Chrome, Brave, Edge, etc.) and Firefox for stored credentials
- Steals data from ~80 cryptocurrency wallet extensions (Ethereum, Solana, Cosmos, TON, etc.)
- Exfiltrates data from 14 password managers, including 1Password, Bitwarden, and LastPass
- Conducts file-system reconnaissance in Documents and Downloads
### Advanced Tradecraft
CrashStealer employs AES-256-GCM encryption via Apple’s CommonCrypto framework to secure stolen data before exfiltration over `libcurl`, a level of operational security uncommon in commodity macOS malware. Additional anti-analysis measures include control-flow flattening and anti-debugging checks, reflecting a broader trend of macOS threats adopting Windows-level sophistication.
For persistence, the malware re-signs itself and installs a LaunchAgent (`com.apple.crashreporter.helper`), further impersonating Apple’s legitimate utilities.
### Broader Campaign Indicators
Jamf linked CrashStealer to a live operator panel and additional infrastructure domains, suggesting it is part of a multi-platform operation rather than an isolated tool. This discovery underscores the rapid maturation of macOS infostealers, with detection volumes and technical complexity rising sharply since 2025.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
APRIL 2026
738
MARCH 2026
738
FEBRUARY 2026
738
JANUARY 2026
751
DECEMBER 2025
737
NOVEMBER 2025
751
OCTOBER 2025
736
SEPTEMBER 2025
751
AUGUST 2025
751
JANUARY 2025
750
Cyber Attack
01 Jan 2025 • AppleInsider
Google and Apple: SparkCat malware returns to target Android and iOS users, hiding in innocent apps to try and steal your details
SparkCat Infostealer Resurfaces in App Store and Play Store with Advanced Obfuscation
730
CRITICAL-20
GOOAPP1775500447
SparkCat Infostealer Resurfaces in App Store and Play Store with Advanced Obfuscation
Cybersecurity researchers at Kaspersky have identified a resurgence of SparkCat, a mobile-focused infostealer targeting cryptocurrency seed phrases, hidden within apps on both the Apple App Store and Google Play Store. Despite rigorous vetting processes by Apple and Google, threat actors successfully distributed the malware through seemingly legitimate apps, including enterprise messengers and food delivery services.
First detected in 2025, SparkCat initially targeted Asian users by scanning for Japanese, Korean, and Chinese keywords in seed phrases 12- or 24-word recovery phrases used to restore cryptocurrency wallets. The malware employed Optical Character Recognition (OCR) to extract seed phrases from photos and screenshots, a tactic that previously drew attention for its sophistication.
The latest version introduces new obfuscation techniques, including code virtualization and cross-platform languages, making detection significantly harder. While the Android variant continues to focus on Asian languages, the iOS version now targets English mnemonics, expanding its reach to Western users.
Kaspersky reported the findings to Apple and Google, leading to the removal of some malicious apps. However, the incident highlights ongoing challenges in securing official app marketplaces against evolving malware threats.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2023
752
Vulnerability
16 Jun 2023 • AppleInsider
Apple: Apple Security Risk: Full List of iPhones and iPads Affected
Apple Patches Critical WebKit Vulnerabilities in iOS and iPadOS Updates
748
CRITICAL-4
APP1768941532
Apple Patches Critical WebKit Vulnerabilities in iOS and iPadOS Updates
Apple has released security updates addressing two critical WebKit vulnerabilities that left millions of iPhones and iPads exposed to potential attacks. The flaws, identified in the engine powering Safari and all iOS browsers, could allow malicious websites to execute harmful code, granting attackers control over devices and access to sensitive data, including passwords and payment details.
The vulnerabilities were reportedly exploited in a sophisticated attack targeting specific individuals, as confirmed by Apple in late 2023. While the company released fixes in iOS 26.2 and iPadOS 26.2, adoption remains low only about 20% of users have installed the update, leaving the majority of devices at risk.
WebKit flaws stem from memory-related errors, enabling attackers to exploit them simply by luring users to a compromised webpage. Since WebKit underpins all iOS and iPadOS browsers, a single vulnerability can impact millions of devices.
Affected Devices:
- iPhone 11 and later
- iPad Pro 12.9-inch (3rd generation) and later
- iPad Pro 11-inch (1st generation) and later
- iPad Air (3rd generation) and later
- iPad (8th generation) and later
- iPad mini (5th generation) and later
Apple continues to urge users to update to the latest software versions to mitigate risks, as future security releases will build on these fixes. Devices running outdated software remain vulnerable to exploitation.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for AppleInsider ??
What was AppleInsider's A.I Rankiteo Cyber Score in June 2026 ??
What was AppleInsider's A.I Rankiteo Cyber Score in May 2026 ??
What was AppleInsider's A.I Rankiteo Cyber Score in April 2026 ??
What was AppleInsider's A.I Rankiteo Cyber Score in March 2026 ??
What was AppleInsider's A.I Rankiteo Cyber Score in February 2026 ??
What was AppleInsider's A.I Rankiteo Cyber Score in January 2026 ??
What was AppleInsider's A.I Rankiteo Cyber Score in December 2025 ??
What was AppleInsider's A.I Rankiteo Cyber Score in November 2025 ??
What was AppleInsider's A.I Rankiteo Cyber Score in October 2025 ??
What was AppleInsider's A.I Rankiteo Cyber Score in September 2025 ??
What was AppleInsider's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on AppleInsider's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with AppleInsider ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view AppleInsider's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?