https://arstechnica.com/security/201...kdoor-instead/

These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. Since the user?s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. (Pro tip: never store the master password for your password manager in the keychain, and make sure it?s a unique, strong password!)