sysop_host

📢🍏 macOS is now part of the EDR Telemetry Project. After three months of focused work, we’re excited to share a new framework and generator for endpoint visibility on macOS! Huge thank you to everyone who contributed and helped shape this release. Looking forward to what comes next. Read more: edr-telemetry.com/blog/macOS-EDR…

Electron 41 is out! It includes a new security feature I contributed and the team let me write a blurb in their announcement blog post! Shoutout and thanks to the team for working with me on this! I'm really enjoying contributing to Electron. electronjs.org/blog/electron-…

1/ Oh 🙊, here we go again! Signed MacSync stealer dropper being delivered via zkcall[.]pro - a fully vibe-coded "secure messenger" for $199/month Premium tier. Same fake app was documented by @txhaflaire in his MacSync write-up: jamf.com/blog/macsync-s…

Nothing new here, just feels like a feature that’s ripe for abuse for initial access 0x626c6f67.xyz/posts/vscode-m…

Here is an interesting one shared by @malwrhunterteam: f66645abf456e3f67fbcbeb78244c73735541ec2e6fd2e56cf2647823cb0eb99 shell script that downloads a (pretty annoying) obfuscated golang binary. script checks if running on macOS by checking if sw_vers exists, pretty cool. 🧵

BOOM! Apple’s Neural Engine Was Just Cracked Open, The Future of AI Training Just Change And Zero-Human Company Is Already Testing It! In a jaw-dropping open-source breakthrough, a lone developer has done what Apple said was impossible: full neural network training– including backpropagation – directly on the Apple Neural Engine (ANE). No CoreML, no Metal, no GPU. Pure, blazing ANE silicon. The project (github.com/maderix/ANE) delivers a single transformer layer (dim=768, seq=512) in just 9.3 ms per step at 1.78 TFLOPS sustained with only 11.2% ANE utilization on an M4 chip. That’s the same idle chip sitting in millions of Mac minis, MacBooks, and iMacs right now. Translation? Your desktop just became a hyper-efficient AI supercomputer. The numbers are insane: M4 ANE hits roughly 6.6 TFLOPS per watt – 80 times more efficient than an NVIDIA A100. Real-world throughput crushes Apple’s own “38 TOPS” marketing claims. And because it sips power like a phone, you can train 24/7 without melting your electricity bill or the planet. At The Zero-Human Company, we’re not waiting. We are testing this right now on real ZHC workloads. This is the missing piece we’ve been chasing for our Zero Human Company vision: reviving archived data into fully autonomous AI systems with zero human overhead. This is world-changing. For the first time, anyone with a Mac can fine-tune, train, or iterate massive models locally, privately, and at a fraction of the cost of cloud GPUs. No more renting $40,000 A100 clusters. No more waiting in queues. No more massive carbon footprints. Training costs that used to run into the tens or hundreds of thousands of dollars? Plummeting toward pennies on the dollar – mostly just the electricity your Mac was already using while it sat idle. The AI revolution just moved from billion-dollar data centers to your desk. WE WILL HAVE A NEW ZERO-HUMAN COMPANY @ HOME wage for equipped Macs that will be up to 100x more income for the owner! We’re only at the beginning (single-layer today, full models tomorrow), but the door is wide open. Ultra-cheap, on-device training is here. The future isn’t coming. It’s already running on your Mac. Welcome to the Zero-Human Company era.

I built a tool to monitor Apple Events on macOS. It surfaces abuse of tools like osascript and helps detect techniques like fake password prompts, even when "display dialog" never appears on the command line.

For the last decade, @patrickwardle has released a yearly blog post covering the most notable macOS malware. I'm a big fan and have learned so much from these so I decided to record a few videos using it as a learning resource. Here's part 1: youtube.com/watch?v=wJKMYx…

Some quick thoughts on abusing tasks in VS Code and how you might detect/mitigate the behaviour. 0x626c6f67.xyz/posts/fun-with… Hat tip to opensourcemalware.com for the original research and @__pberba__ for the idea sharing.

@mattjay I have a trusty bootstrap script to turn on all the sane off-by-default options like right click, install brew, run brew bundle install and setup the dock and a bunch of other stuff how I like it. Iterm config lives in iCloud Drive because I’m lost without my terminal setup.

When you get a new Mac - what is your setup checklist? What browser? Extensions? Apps? Settings?

I wrote a decompiler for run-only AppleScripts pberba.github.io/security/2025/…

Phorion Threat Report: a backdoored Cursor extension was used to deploy the Paradox Stealer infostealer into macOS developer workflows. The post breaks down the full infection chain, detection opportunities and why IDE extensions have become a reliable point of initial access. phorion.io/blog/macos-par…

🍎☕️ A new LPE for macOS Tahoe. 100% reliable, instant root. <3 Shared work with @gergely_kalman . That coffee shop was awesome 😎

😂

Worked with @sysop_host. A file can show a benign script but runs the hidden payload when executed through osascript. It seems that when a compiled AppleScript exists in the resource fork, osascript will run this and ignore the contents of the data fork.

I wrote a thing about some recent dabbling with AppleScripts 0x626c6f67.xyz/posts/hiding-c…

Calling all London #redteam and cyber crew! Save the date 23 Nov 23 for #Beacon23: a hacker-run microcon for discussions and talks on all things around #offensivesecurity with informal drinks and music til 10pm, near Old Street. Register on Eventbrite at l.ocalho.st

A standalone tweet; I have made my book fully free for those that want it, and it's also available to pay some money for if you want to support my blog/work: Free: blog.zsec.uk/ltr101-copies-…​ Paid: leanpub.com/ltr101-breakin…​ #ltr101 #CyberMonday #BlackFriday #InfosecStudents

@_RastaMouse How many reboots did it take to work it out?

It's going to be one of those days. I thought my computer had crashed this morning but turns out I'd just turned the monitors off....

@bohops @Hexacorn @subtee I actually had a bit of a play with this against one product and found I could get some HTML formatting to render but sadly no XSS. I’m sure with more work it would be possible.

@Hexacorn cc: @subtee

So, how does an EDR parse and display something like this? Does yours? If a low-medium alert is generated, is there still value in that or is it discarded as nonsense?