Blocklisted
24
apps restricted from running
Allowlisted
183
explicitly trusted apps
Watchlist
41
monitoring for behavior changes
AI model precision (last 90 days): 96.2% · 1 false positive out of 26 blocks
App / Hash Threat / AI Reason Rule Type Confidence Added Reviewed by Actions
npm: lightllm
sha256:a4f3...c91b · npm 0.2.1
AMOS / Banshee family
Supply chain — outbound 185.220.101.47 (Tor exit node), reads ~/.aws/credentials + ~/.ssh/
CEL 97% Apr 18 J. Rodriguez
unknown-binary-a
sha256:7c2b...f034 · unsigned
AMOS infostealer candidate
Unsigned, no publisher cert — matches AMOS keychain dump + osascript password prompt patterns
Hash 91% Apr 17 Auto-blocked
osascript-fake-prompt.sh
sha256:3f8d...a12c · unsigned script
Cthulhu / AMOS phishing
osascript fake password dialog injection — harvests macOS login credentials via social engineering prompt
CEL 96% Apr 16 Auto-blocked
dscl-wrapper.sh
no hash · shell script
Banshee / AMOS credential dump
dscl -authonly flag detected — bypasses keychain to dump local account credentials (AMOS/Banshee technique)
CEL 94% Apr 15 J. Rodriguez
xattr-strip.sh
sha256:b9c1...4e72 · shell script
Quarantine bypass
xattr -d com.apple.quarantine — strips Gatekeeper quarantine flag to allow unnotarized binary execution
CEL 98% Apr 12 Auto-blocked
node-gyp-unofficial
unofficial build · TeamID unverified
Supply chain risk
Unofficial build, unverified TeamID — build provenance cannot be confirmed, code injection risk
TeamID 88% Apr 5 J. Rodriguez
cron-helper.sh
sha256:e3c9...77f2
LaunchAgent persistence
LaunchAgent + cron-based persistence — writes to ~/Library/LaunchAgents/ for C2 beacon survival across reboots
PathRegex 94% Apr 3 Auto-blocked
chrome-remote-debug.sh
no hash · shell script
Browser cookie theft
--remote-debugging-port flag — browser session theft via Chrome DevTools protocol; extracts cookies without decryption
CEL 93% Mar 29 Auto-blocked
App / Publisher Source Trust Reason Since Actions
1Password 8.x
AgileBits
App Store Trusted publisher, signed Mar 1
Slack 4.x
Slack Technologies
App Store Corporate tool Mar 1
Zoom 6.x
Zoom Video Communications
App Store Corporate tool Mar 1
Google Chrome
Google LLC
App Store Corporate browser Mar 1
Figma
Figma Inc
App Store Design tool Mar 5
VS Code
Microsoft Corporation
Signed binary Corporate IDE Mar 1
Docker Desktop
Docker Inc
Signed binary Dev tooling, reviewed Mar 8
Postman
Postman Inc
Signed binary API testing, reviewed Mar 12
App Watch Reason Events (7d) Last Seen Actions
Homebrew 4.2.1
Elevated system path access 347 2m ago
GitHub CLI 2.47
Accessing non-standard git remotes 12 5m ago
pyenv / python3.12
Multiple interpreter versions installed 8 1h ago
VS Code AWS Toolkit
Fetching credentials from ~/.aws 94 3h ago
iTerm2 3.5
Shell spawning unusual child processes 23 1d ago
Raycast
Plugin network access outside expected scope 15 2d ago