Just hours before Apple is expected to roll out the new version of its desktop and notebook operating system, macOS High Sierra, a security researcher dropped a zero-day.

Patrick Wardle, a former NSA hacker who now serves as chief security researcher at ‎Synack, posted a video of the hack — a password exfiltration exploit — in action.

Passwords are stored in the Mac’s Keychain, which typically requires a master login password to access the vault.

But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.

Older versions of macOS and OS X are also vulnerable, Wardle told ZDNet.

He tweeted a short video demonstrating the hack.

Wardle created a “keychainStealer” app demonstrating a local exploit for the vulnerability, which according to the video, can expose passwords to websites, services, and credit card numbers when a user is logged in.

That exploit could be included in a legitimate-looking app, or be sent by email.

“If I was an attacker or designing an macOS implant, this would be the ‘dump keychain’ plugin,” said Wardle.

“I reported it to Apple, but unfortunately the patch didn’t make it into High Sierra,” he said.

In his tweet, Wardle suggested that Apple should launch a macOS bug bounty program “for charity.” Right now, Apple only has a bug bounty for iPhones and iPads, which pays up to $200,000 for high-end secure boot firmware exploits.

It’s the second zero-day that Wardle found for the operating system this month — the first shows how the new software’s secure kernel extension loading feature is vulnerable to bypass.

Apple did not respond to a request for comment at the time of writing.