Macos

The `network-ai` package, versions prior to 5.9.1, is vulnerable to a critical command injection flaw (CVE-2026-54051) where the `ShellExecutor` component fails to properly neutralize shell metacharacters when processing commands, allowing an attacker to achieve arbitrary command execution as the orchestrator process by bypassing allowlist controls.

A vulnerability in the vim text editor allows a remote, unauthenticated attacker to perform a Denial of Service attack by exploiting a weakness to disrupt the service without requiring prior authentication.

The CrowdStrike 2026 Technology Threat Landscape Report highlights the pervasive targeting of the technology sector by China-nexus and eCrime adversaries, employing tactics like password spraying, vulnerability exploitation, supply chain compromises (e.g., Axios npm package, GitHub repositories), and malware distribution (macOS info stealers via OpenClaw lures) to achieve intelligence collection, intellectual property theft, and financial extortion.

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

Operation FlutterBridge is a malvertising campaign targeting macOS users with the new FlutterShell backdoor, which uses malicious desktop applications for adware distribution and provides backdoor capabilities such as command execution and file system manipulation, with some variants using AI summarization for data exfiltration.

GitHub internal repositories were compromised after an attacker injected malicious code into the Nx Console Visual Studio Code extension (v18.95.0), leading to the exfiltration of approximately 3,800 internal repositories.

A local attacker can exploit a vulnerability in OpenVPN Connect on MacOS to escalate their privileges.

A remote, anonymous attacker can exploit multiple vulnerabilities in Apple macOS to gain root privileges, execute arbitrary code, cause a denial-of-service condition, disclose confidential information, modify data, or bypass security measures.

This rule detects the execution of macOS built-in commands such as `defaults`, `mkpassdb`, and `dscl` used by adversaries to dump user account hashes for credential access and lateral movement.

A local attacker can exploit vulnerabilities in Ivanti Secure Access Client to manipulate files or escalate privileges, potentially gaining elevated access to the system.

Adversaries may attempt to bypass macOS privacy controls by directly modifying the Transparency, Consent, and Control (TCC) SQLite database using sqlite3, potentially gaining unauthorized access to sensitive resources.

The rule detects script interpreters (osascript, Node.js, Python) making outbound connections to AWS S3 or CloudFront domains on macOS, which may indicate command and control or data exfiltration activity.

IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler.

The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

This rule detects suspicious Finder Sync plugin registrations on macOS, where adversaries abuse the pluginkit process to establish persistence by repeatedly executing malicious payloads.

This rule identifies a high number of inbound SSH login attempts on a macOS host within a short time window by monitoring the `sshd-keygen-wrapper` process, indicating potential brute-force attacks against exposed SSH services.

The Atomic macOS Stealer (AMOS) is a prevalent malware-as-a-service targeting macOS, distributed via social engineering techniques like ClickFix ruses and fake installers, designed to steal sensitive data such as credentials and cryptocurrency wallets, leading to potential account compromise and further attacks.

Multiple vulnerabilities exist in Apple macOS Sonoma, macOS Sequoia, and macOS Tahoe that could allow an attacker to elevate privileges, conduct a denial-of-service attack, disclose information, execute arbitrary code, and bypass security measures.

Multiple vulnerabilities in Apple macOS allow an attacker to bypass security measures, conduct denial of service attacks, disclose information, manipulate files, and escalate privileges.

This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.

Attackers are using Google Ads malvertising and weaponized Claude.ai shared chats to trick macOS users into downloading and executing malware, leading to credential theft and system compromise.

A macOS vulnerability enables bypassing System Integrity Protection (SIP) by abusing sandboxing mechanisms to load an untrusted library into a SIP-entitled process.

The WINDSHIFT APT group is infecting Macs by abusing custom URL schemes, where advertising support for a custom URL scheme in an application's Info.plist causes the application to be automatically launched when a URL with that scheme is opened, allowing attackers to remotely compromise systems with minimal user interaction and creating an initial access vector.

OSX.Dummy is a new macOS malware targeting the cryptocurrency community, as reported by Objective-See.

A Mac adware, likely a component of OSX.Pirrit, uses multiple layers of obfuscation, including base64 encoding, zlib compression, and variable renaming, to evade detection and inject malicious JavaScript from hxxps://1049434604.rsc.cdn77.org/ij1.min.js.

Adware Doctor, a popular app available on the Mac App Store, surreptitiously steals user's browsing history from Safari and Chrome, compresses the data into a password-protected zip archive, and exfiltrates it to a remote server.

The ClickFix campaign targets macOS users with fake utility fixes, tricking them into running malicious Terminal commands to install infostealing malware such as Macsync, Shub Stealer, and AMOS.

A local attacker can exploit a vulnerability in CUPS to execute arbitrary program code with administrator privileges on Linux and macOS systems.

Adversaries are increasingly targeting macOS environments, leveraging native tools like Remote Application Scripting (RAS) and Spotlight metadata to bypass security controls for remote code execution and lateral movement.

This rule detects the initial creation or modification of a macOS LaunchAgent or LaunchDaemon plist file by a Python process, a common persistence technique employed by attackers using malicious scripts, compromised dependencies, or model file deserialization.

A use-after-free vulnerability exists in the `powerMonitor` module of Electron applications on Windows and macOS. When the native `PowerMonitor` object is garbage-collected, dangling references are retained by OS-level resources. Subsequent session-change events on Windows or system shutdowns on macOS may dereference freed memory, potentially leading to a crash or memory corruption.

CVE-2024-44250 is a permission issue in macOS Sequoia 15.1 that allows an application to execute arbitrary code outside of its sandbox or with elevated privileges, potentially leading to full system compromise.

This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes, potentially leading to unauthorized access or data exfiltration.

GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.

Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.

The rule identifies when a user is added to the admin group on macOS systems, potentially indicating privilege escalation activity, and requires Jamf Protect for data ingestion into Elastic.

This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.

Apple's App Translocation in macOS v10.12 mitigates Gatekeeper bypasses (CVE-2015-3715, CVE-2015-7024) by creating a read-only DMG, impacting applications accessing external resources.

A race condition vulnerability (CVE-2019-8565) exists in macOS where a privileged XPC service, com.apple.appleseed.fbahelperd, improperly validates XPC messages based on process ID, allowing an unprivileged process to escalate privileges to root.

A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.

A blog post details the reverse engineering of the Kaspersky anti-virus engine on macOS to demonstrate the potential for crafting signatures capable of detecting and flagging classified documents, leveraging the product's scanning capabilities and dynamic signature updates, without implying any malicious activity by Kaspersky.

OSX/CreativeUpdater is a macOS cryptominer distributed through compromised download links on the MacUpdate website, using a trojanized application bundle to execute a script that downloads and installs a persistent Monero miner using launch agents.

A vulnerability in macOS Mojave allows sandboxed applications to bypass sandbox restrictions and surreptitiously monitor user activities by registering for distributed notifications by name, circumventing intended privacy protections.

CVE-2017-7170 is a local privilege escalation vulnerability in macOS stemming from insecure use of the `AuthorizationExecuteWithPrivileges` API, allowing unprivileged users to execute arbitrary code as root by sniffing authorization references.

A malicious Word document targeting macOS users employs macros to download and execute a Meterpreter payload, leveraging a sandbox escape vulnerability and launch agent plist for persistence.

macOS is vulnerable to synthetic mouse event attacks, allowing threat actors to bypass security mechanisms and interact with protected UI components to perform unauthorized actions like dumping keychains and loading kernel extensions.

The Lazarus Group is distributing a new variant of the Dacls RAT targeting macOS systems via a trojanized application, installing a hidden executable and attempting persistence.

macOS Mojave beta's new privacy controls can be bypassed by exploiting the entitlements of trusted applications like QuickTime Player via AppleScript to access the webcam and microphone without user consent.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

The 'Calendar 2' application, available on the official Mac App Store, was found to surreptitiously mine cryptocurrency on users' Macs, utilizing the 'xmr-stak' miner to mine Monero (XMR) and report mining operations to calendar.qbix.com.

The Coldroot RAT is a cross-platform backdoor targeting macOS systems, providing remote attackers persistent access through a launch daemon, masquerading as an Apple audio driver, and beaconing to a command and control server.

The Mac Malware of 2019 report details various Mac malware specimens and variants, including CookieMiner, a cryptominer that steals user cookies and passwords, likely to give attackers access to victims' online accounts and wallets; CookieMiner persists via launch agents and exfiltrates browser cookies to a remote C2 server.

A comprehensive analysis of Mac malware discovered in 2017, detailing infection vectors, persistence mechanisms, features, and goals, including FruitFly, MacDownloader (iKitten), and others.

This brief analyzes Mac malware discovered in 2018, including OSX.Mami, a DNS hijacker distributed via browser popups, and CrossRAT, a cross-platform Java-based backdoor likely spread through phishing, highlighting infection vectors, persistence mechanisms, and capabilities.

A machine learning job has detected a spike in bytes of data written to an external device via Airdrop, potentially indicating illicit data copying or transfer activities.

The Lazarus APT group is distributing a macOS backdoor named AppleJeus via a fake cryptocurrency trading application called JMT Trader, persisting through a launch daemon and communicating with the C&C server beastgoc.com.

A vulnerability in Microsoft Office for Mac allows malicious code to escape the application's sandbox and achieve persistence by abusing a faulty regex for temporary files.

CVE-2017-7149 is a vulnerability in macOS High Sierra (10.13) where the password for an encrypted APFS volume is stored as plain text in the password hint, potentially allowing a local attacker to gain unauthorized access.

The Lazarus group's macloader malware (OSX.AppleJeus.C) uses a launch daemon for persistence and executes downloaded payloads directly from memory, communicating with a C2 server to retrieve second-stage payloads, posing a significant threat due to its fileless execution and potential for repurposing.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

A crash was identified in Apple's Security framework due to an uninitialized pointer in the SecError function, leading to the dereference of an invalid memory address.

Zoom's macOS client contains a local privilege escalation vulnerability that allows an unprivileged attacker to gain root privileges by subverting the runwithroot script, due to the insecure use of the deprecated AuthorizationExecuteWithPrivileges API.

The WindShift APT group is targeting Middle Eastern governments with a first-stage macOS implant called OSX.WindTail, abusing custom URL schemes for initial infection and establishing persistence via login items, while decrypting embedded strings to identify file extensions of interest.

A logic flaw in Microsoft Excel allows remote code execution on macOS via malicious XLM macros in SYLK files, bypassing the 'Disable all macros without notification' setting.

macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.

A bug in macOS Mojave causes a system lockup when the vmmap utility is executed against process ID 1 (launchd), due to a deadlock triggered by XPC calls during symbolication.

A local privilege escalation vulnerability in macOS allows attackers to gain root privileges by hijacking dylibs in applications installed from the Mac App Store.

The kev_msg_post function can be abused by malware to broadcast process creation notifications from a kernel extension (kext) to a user-mode application, potentially bypassing security tools that rely on standard APIs and leading to undetected malicious activity.

This brief details a method for parsing macOS login item files to detect persistence mechanisms employed by malware or threat actors.

Objective-See details how to create a file monitor for macOS 10.15 using Apple's Endpoint Security Framework to capture file I/O events and process information.

macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.

An unsigned or untrusted binary on macOS is performing DNS requests for IP lookup services to determine the system's external IP address, which is commonly used by malware for reconnaissance before establishing C2 connections.

The 'Mac File Opener' adware achieves persistence by registering itself as a document handler for numerous file types, leveraging the Launch Services Daemon (lsd) to automatically parse the application's Info.plist and register the handlers.

The Lazarus APT group is distributing a trojanized macOS application named UnionCryptoTrader.dmg that installs a launch daemon for persistence, downloads and executes secondary payloads in-memory, and communicates with the command and control server unioncrypto.vip.

This brief discusses the use of Apple's Endpoint Security Framework in macOS 10.15 and later for user-mode process monitoring, offering improved capabilities over the older OpenBSM subsystem.

OSX/MaMi is a macOS malware that hijacks DNS settings and installs a malicious certificate into the system keychain to intercept network traffic, while also possessing capabilities for taking screenshots, simulating mouse events, persisting as a launch item, downloading and uploading files, and executing commands.

An implant installer for HackingTeam's RCS implant uses Apple's native OS X encryption scheme and a custom packer to deliver a persistent implant, indicating a potential resurgence of the group and an evolution in their techniques for macOS malware.