Your Mac's Next 'Crash Report' Might Actually Be Malware

Crash reports don't require your credentials.

Your Mac's Next 'Crash Report' Might Actually Be Malware

Emily Long

Emily Long Freelance Writer

Experience

Emily Long is a freelance writer based in Salt Lake City.

After graduating from Duke University, she spent several years reporting on the federal workforce for Government Executive, a publication of Atlantic Media Company, in Washington, D.C. She has nearly a decade of experience as a freelancer covering tech (including issues related to security, privacy, and streaming) as well as personal finance and travel.

In addition to Lifehacker, her work has been featured on Wirecutter, Tom’s Guide, and ZDNET. Emily has also worked as a travel guide around the U.S. and as a content editor. She has a masters in social work and is a licensed therapist in Utah.

Read Full Bio

July 14, 2026

Add as a preferred source on Google
Add as a preferred source on Google

macbook on table

Credit: NguyenDucQuang/Getty Images

Table of Contents


If you're a Mac user, beware of any system prompts that request your credentials in order to send reports to Apple. A new malware—dubbed CrashStealer—is posing as a legitimate crash-reporting tool while stealing keychain data, local files, and data from browsers, password managers, and crypto wallets.

CrashStealer impersonates Apple on macOS

This macOS infostealer, which was identified by security firm Jamf, looks like a legitimate application. It goes by "CrashReporter.app," uses a recognizable icon and metadata, and is delivered by a dropper signed and notarized by Apple. Targets can download the installer from a fake software site promoting the "Werkbit" meeting platform and requires a PIN to access. From there, installation follows a similar process to any other real app, as the campaign relies on social engineering to trick targets into adding the payload directly to their own devices. As BleepingComputer describes, its technical setup allows it to avoid detection from macOS' anti-malware tool.


Are you an Apple fan, or interested in Apple's product announcements? Lifehacker is hosting a Big Guessing Game, a free competition that invites readers to make predictions about what Apple may announce this year. The game is currently in its second round, and you can click here to enter.


When the infostealer runs, it pretends to be Apple's crash reporter, displaying a prompt that looks exactly like a macOS authorization request to make changes to system preferences. Users are asked to enter their password to allow these changes, and the malware validates the credential locally. If the password is wrong, the prompt runs again until the correct credential is supplied. With the system password, threat actors can unlock the user's Keychain and all of the encrypted data within, such as wifi and app passwords, certificates, and tokens. CrashStealer also appears to target other data on users' devices, including:

Files from Documents and Downloads folders.

Credentials and cookies from Firefox and Chromium-based browsers.

14 password managers, including popular apps like 1Password, Bitwarden, LastPass, Dashlane, NordPass, and Keeper.

80 cryptocurrency wallet extensions.

The malware is able to encrypt the stolen data, put it in a hidden ZIP archive, and upload it to attackers' servers.

What do you think so far?

How to protect your Mac from CrashStealer

It's not clear exactly how threat actors are targeting the distribution of this specific malware, but use caution when downloading and installing apps to your device, as attackers are able to run highly sophisticated campaigns that raise very few red flags. If you aren't 100% sure of the origin or legitimacy of an app or software, don't install it. If you are worried about malware running on your device, use my guide to detect and remove it.

You should also be wary of system processes that require you to enter your credentials to run—an action many of us take frequently without thinking. For CrashStealer specifically, know that crash reports and diagnostics sent to Apple do not require a password. You may be asked whether you want to provide this information, but you shouldn't need to authenticate it in any way.