The Iru Blog

MiniRAT: A Go-based macOS RAT delivered via malicious npm package

Atomic Stealer (AMOS) Returns: ClickFix, Trojanized Crypto Apps, and a New macOS Persistence Mechanism

macOS Malware Analysis: Music Plugin DMG Loader

On February 4, 2026, security researchers discovered a mass-distributed loader disguised as predominantly cracked music plugin DMGs used to deliver multiple multistage macOS malware, such as Odyssey and MacSyncStealer, in addition to a Mach-O binary containing another loader to an additional payload.

Analyzing the MonetaStealer macOS Threat

On January 6, 2026, security researchers at Iru discovered a suspicious Mach-O binary masquerading as a Windows .exe file. Investigation revealed the file is a PyInstaller-compiled binary that executes malware hidden within a .pyc file. Researchers named the malware MonetaStealer. The malware contains limited capabilities and lacks anti-analysis/persistence mechanisms. Researchers believe it is still in its very early development phase and relies heavily on AI code. MonetaStealer maintains a zero-detection rate on VirusTotal as of the time of writing.

Investigating Shai-Hulud: Inside the NPM Supply Chain Worm

On August 26, 2025, attackers exploited a GitHub Actions injection vulnerability inside Nx’s workflow, using a manipulated pull request title to run shell commands and extract the company’s NPM publishing token. With that access, they published malicious versions of trusted Nx packages. Once installed, those packages hijacked local AI command line tools to scan victim systems for credentials, SSH keys, and crypto wallets.

The Top Cyber Threats Facing SMBs in 2025

Small and midsize businesses (SMBs) are under siege. Attackers know these organizations often run lean IT teams with limited budgets, making them prime “path of least resistance” targets.