Security researcher Linus Henze posted a video to his YouTube channel allegedly demonstrating a zero-day exploit he discovered in macOS Mojave, but he is not sharing details with Apple out of protest.
Keychain is a built-in password manager for macOS. It houses passwords, encryption keys, and certificates from a wide range of sources including websites, apps, and attached hardware. Using a software tool he created called KeySteal, Henze can access all the passwords on a Mac's keychain with one click. Henze is a familiar name, and he is responsible for previously revealing iOS vulnerabilities. As noted by 9to5Mac
he "has a track record of credibility". The exploit he has created is such that it does not matter if System Integrity Protection is enabled, or Access Control Lists are set up. It is capable of extracting passwords from the Login and System, but not the iCloud Keychain.