Clankerusecase
macOS detection coverage
 ← Back to main site
Home/ Targets/ macOS

macOS detections

Clankerusecase tracks 56 detection use cases covering the macOS attack surface across 60 MITRE ATT&CK techniques.

Detections targeting macOS endpoints — osascript / launchd / .plist persistence / Mach-O execution.

Open Detection Library → View on the matrix
56Use cases
60Techniques
28Articles
6Kill-chain phases

Top techniques on macOS (25)

T1105Ingress Tool Transfer11T1204.002Malicious File10T1543.001Launch Agent10T1195.002Compromise Software Supply Chain8T1059.004Unix Shell8T1071.001Web Protocols5T1059.001PowerShell4T1005Data from Local System3T1059.002AppleScript3T1552.001Credentials In Files3T1543.002Systemd Service3T1059.006Python3T1036.005Match Legitimate Resource Name or Location3T1546.016Installer Packages3T1583.008Malvertising2T1204.004Malicious Copy and Paste2T1140Deobfuscate/Decode Files or Information2T1190Exploit Public-Facing Application2T1539Steal Web Session Cookie2T1059Command and Scripting Interpreter2T1564.001Hidden Files and Directories2T1485Data Destruction2T1555Credentials from Password Stores2T1543.004Launch Daemon2T1656T16561

Reconnaissance (1)

[LLM] Browser writing oversized OPFS file (potential FROST SSD-timing side-channel) Bespoke recon · hunting DSΣPDDCS

Delivery (6)

[WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD [WEEKLY] Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Internal delivery · alerting DSΣPDD [LLM] node process spawning bash/curl chain to fetch Velora DEX install.sh dropper Bespoke delivery · alerting DSΣPDDCS [LLM] IoliteLabs VSCode extension dropper: VS Code child process reaching rraghh.com / oortt.com C2 Bespoke delivery · alerting DSΣPDD [LLM] npm/node postinstall hook spawning interpreter and reaching new C2 host (Axios-style dropper) Bespoke delivery · hunting DSPDDCS [LLM] Pastebin-piping stager retrieved from rentry.co/openclaw-core (macOS/Linux ClawHub skill) Bespoke delivery · alerting DSPDDCS

Exploitation (16)

Article-specific behavioural hunt — Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Bespoke exploit · hunting DSP Article-specific behavioural hunt — Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blo Bespoke exploit · hunting DSP [LLM] osascript invoked with AppleScript breakout pattern (mismatched tell blocks + do shell script) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Nx Console VS Code Extension Compromised Bespoke exploit · hunting DSP Article-specific behavioural hunt — Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Bespoke exploit · hunting DSP [LLM] DeepSeek-TUI sub-agent shell execution via AGENTS.md prompt injection (CVE-2026-45374) Bespoke exploit · alerting DSΣPDD Article-specific behavioural hunt — TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromi Bespoke exploit · hunting DSP Article-specific behavioural hunt — TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack Bespoke exploit · hunting DSP Article-specific behavioural hunt — @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via l Bespoke exploit · hunting DSP Article-specific behavioural hunt — axios Compromised on npm - Malicious Versions Drop Remote Access Trojan Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, ma Bespoke exploit · hunting DSP Article-specific behavioural hunt — Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT Bespoke exploit · hunting DSP Article-specific behavioural hunt — axios compromised on npm: maintainer account hijacked, RAT deployed Bespoke exploit · hunting DSP Article-specific behavioural hunt — Harden Runner Now Supports Windows and macOS GitHub Actions Runners Bespoke exploit · hunting DSP Article-specific behavioural hunt — Installing and managing Java on macOS Bespoke exploit · hunting DSP Article-specific behavioural hunt — Using insecure npm package manager defaults to steal your macOS keyboard shortcu Bespoke exploit · hunting DSP

Installation (14)

[WEEKLY] Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internal install · alerting DSΣPDD [LLM] macOS LaunchAgent Persistence — com.user.kitty-monitor.plist (Nx Console Compromise) Bespoke install · alerting DSΣPDDCS [LLM] Kitty cat.py Python Backdoor File Drop / Execution (Nx Console Compromise) Bespoke install · alerting DSΣPDDCS [LLM] FlutterShell macOS payload SHA256 IOC match Bespoke install · hunting DSΣPCS [LLM] Mini Shai-Hulud 'gh-token-monitor' persistence daemon (LaunchAgent / systemd) Bespoke install · alerting DSΣPDDCS [LLM] macOS LaunchAgent/LaunchDaemon plist persistence pointing at Python interpreter Bespoke install · hunting DSΣPDDCS [LLM] macOS Python backdoor persistence via kitty-monitor LaunchAgent and cat.py drop Bespoke install · alerting DSΣPDDCS [LLM] launchctl persistence registering zsh.profiler service from non-admin location Bespoke install · alerting DSΣPDDCS [LLM] macOS file write of profiler binary to com.apple.Terminal masquerade path Bespoke install · alerting DSΣPDDCS [LLM] OpenClaw persistence — launchd plist / systemd unit drop referencing 'openclaw' Bespoke install · alerting DSΣPDDCS [LLM] TeamPCP telnyx FetchAudio() — python subprocess running inline base64 exec Bespoke install · alerting DSΣPDDCS [LLM] macOS Axios RAT daemon spoof + ad-hoc codesign of hidden /private/tmp binary Bespoke install · alerting DSΣPDDCS [LLM] axios RAT artifact dropped: com.apple.act.mond / wt.exe / ld.py with known SHA256 Bespoke install · alerting DSΣPDD [LLM] npm postinstall SSH-backdoor chain: node spawning sudo ufw allow 22/tcp + chown ~/.ssh Bespoke install · alerting DSΣPDD

Command & Control (2)

[LLM] FlutterShell macOS C2 contact (atsheisdomestic / etoftheappyrince / healightejustb) Bespoke c2 · alerting DSΣPCS [LLM] Outbound connection to Velora DEX npm supply-chain C2 89.36.224.5 Bespoke c2 · alerting DSΣPDDCS

Actions on Objectives (17)

[WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes Internal actions · alerting DSPDD MCP Filesystem Server Suspicious Extension Write ESCU actions · hunting P File Download or Read to Pipe Execution ESCU actions · alerting P MacOS AMOS Stealer - Virtual Machine Check Activity ESCU actions · hunting P MacOS Gatekeeper Bypass ESCU actions · hunting P MacOS Hidden Files and Directories ESCU actions · hunting P MacOS List Firewall Rules ESCU actions · hunting P [LLM] Anti-forensic deletion/tampering of macOS Tahoe 26 App.MenuItem Biome stream Bespoke actions · alerting DSΣPDDCS [LLM] Non-forensic process bulk-reading the App.MenuItem Biome stream Bespoke actions · hunting DSΣPDDCS [LLM] Cross-platform memory scraping of GitHub Actions Runner.Worker process Bespoke actions · hunting DSPDDCS [LLM] gh-token-monitor service install or rm -rf wiper command (Hades self-destruct) Bespoke actions · alerting DSΣPDDCS [LLM] Non-Chrome process modifies macOS Chrome Preferences (FlutterShell browser hijack) Bespoke actions · hunting DSΣPCS [LLM] FlutterShell adware redirector contact (ads-parkpro / sinterfumesco / softwe.art) Bespoke actions · alerting DSΣPCS [LLM] Developer credential store read by Python or Node spawned from VS Code (Nx Console stealer pattern) Bespoke actions · hunting DSPDDCS [LLM] TruffleHog spawned by node/npm as postinstall — Shai-Hulud credential sweep Bespoke actions · alerting DSΣPDD [LLM] s1ngularity nx: /tmp/inventory.txt staging file created on host Bespoke actions · alerting DSΣPDD [LLM] macOS Text Replacements exfiltration via `defaults read NSUserDictionaryReplacementItems` Bespoke actions · alerting DSΣPCS

Recent articles citing macOS-targeted detections

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
crit [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
high Nx Console VS Code Extension Compromised
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
high Why developer machines are now the number one target for supply chain attacks
crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account
crit [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
high @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence
crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
crit Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw
high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT
high axios compromised on npm: maintainer account hijacked, RAT deployed
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys
med Harden Runner Now Supports Windows and macOS GitHub Actions Runners
crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages
crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware
med Installing and managing Java on macOS
high Using insecure npm package manager defaults to steal your macOS keyboard shortcuts