This is pretty serious – a researcher has discovered a zero-day exploit against the Keychain in macOS.
As a protest against Apple not paying a bug bounty for macOS (only for iOS), Linus Henze, the researcher, has withheld details of the exploit from Apple.
Patrick Wardle of Objective See has confirmed the bug is real and very serious.
This bug allows any app on your computer to potentially steal all of your Keychain items without prompting for your password. This is pretty scary as your Keychain will typically contain passwords for your email account, for any servers you access, for other apps like Facebook and Twitter and for Wifi and VPN network connections. This is the most sensitive of sensitive data that is stored on your Mac and Apple usually go to great lengths to protect it from prying eyes.
More info on Bleeping Computer.