Skip to content
Inside SStar Agent, a cross-platform RAT with an unfinished macOS toolkit
Adam Kohler

Calvin So

19 min read

Inside SStar Agent, a cross-platform RAT with an unfinished macOS toolkit

Threat Intelligence
NVD's shift to risk-based prioritization: how Iru Vulnerability Management stays ahead of the limitations
Shwena Kak

6 min read

NVD's shift to risk-based prioritization: how Iru Vulnerability Management stays ahead of the limitations

Threat Intelligence
Iru Quarterly Threat Report: May 2026
Adam Kohler

6 min read

Iru Quarterly Threat Report: May 2026

Threat Intelligence

MiniRAT: A Go-based macOS RAT delivered via malicious npm package
Calvin So

13 min read

MiniRAT: A Go-based macOS RAT delivered via malicious npm package

MiniRAT is a Go-based macOS RAT dropped onto developer machines via a malicious npm package. It evades VMs, persists via a LaunchAgent disguised as an Apple component, and beacons over HTTPS using an AES-encrypted C2 config. Operators can run shell commands, exfiltrate files, and stage secondary payloads. A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to SafeDep, the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.

Threat Intelligence
Atomic Stealer (AMOS) Returns: ClickFix, Trojanized Crypto Apps, and a New macOS Persistence Mechanism
Calvin So

11 min read

Atomic Stealer (AMOS) Returns: ClickFix, Trojanized Crypto Apps, and a New macOS Persistence Mechanism

Atomic Stealer, commonly tracked as AMOS, has earned its place as one of the most persistent threats the macOS threat landscape. Powered by a relentless development cycle and diverse distribution networks, it shows no signs of slowing down. Researchers have extensively documented its signature tactics: "ClickFix" browser social engineering prompts, trojanized application installers, and, most recently, the "malext" variants spread through malvertising campaigns.

Threat Intelligence
macOS Malware Analysis: Music Plugin DMG Loader
Calvin So

17 min read

macOS Malware Analysis: Music Plugin DMG Loader

On February 4, 2026, security researchers discovered a mass-distributed loader disguised as predominantly cracked music plugin DMGs used to deliver multiple multistage macOS malware, such as Odyssey and MacSyncStealer, in addition to a Mach-O binary containing another loader to an additional payload.

Threat Intelligence
The Security Implications of OpenClaw and Autonomous AI Agents
Shwena Kak

8 min read

The Security Implications of OpenClaw and Autonomous AI Agents

In recent months, a new class of AI tools has gained momentum, blurring the line between traditional assistants and fully autonomous automation platforms. OpenClaw, previously known as Clawdbot and Moltbot, is designed to execute tasks for users with little ongoing human involvement, including file management, workflow automation, and direct shell command execution. Its rapid viral growth and strong community adoption, with almost 200,000 GitHub stars, have brought attention to a new category of AI tools that operate with deeper system access than most conversational AI platforms.

Threat Intelligence
The hidden risks of the Homebrew Cellar in Vulnerability Management
Candace Jensen

3 min read

The hidden risks of the Homebrew Cellar in Vulnerability Management

In the modern macOS ecosystem, Homebrew is a staple: the engine under the hood in software engineers' day to day development, and a productivity enhancer for macOS power users. However, its convenience and ubiquity may introduce a significant blind spot for security teams if they lack visibility into the "Cellar" - the specific location where Homebrew stores its binaries, known as formulae. Its hidden dependencies, lingering outdated binaries, and relaxed permissions can create serious security gaps. When a workstation may be the gateway to cloud and production systems, those gaps matter.

Threat Intelligence
The Dangers of Cracking Tools
Csaba Fitzl

7 min read

The Dangers of Cracking Tools

This blog article highlights one particular risk that arises from using various tools to crack software: introducing vulnerabilities to their environment. This article provides a general overview, examines past cases, and dives into an actual local privilege escalation vulnerability we uncovered in a macOS software cracker.

Threat Intelligence
Analyzing the MonetaStealer macOS Threat
Calvin So

6 min read

Analyzing the MonetaStealer macOS Threat

On January 6, 2026, security researchers at Iru discovered a suspicious Mach-O binary masquerading as a Windows .exe file. Investigation revealed the file is a PyInstaller-compiled binary that executes malware hidden within a .pyc file. Researchers named the malware MonetaStealer. The malware contains limited capabilities and lacks anti-analysis/persistence mechanisms. Researchers believe it is still in its very early development phase and relies heavily on AI code. MonetaStealer maintains a zero-detection rate on VirusTotal as of the time of writing.

Threat Intelligence
Investigating Shai-Hulud: Inside the NPM Supply Chain Worm
Calvin So

9 min read

Investigating Shai-Hulud: Inside the NPM Supply Chain Worm

On August 26, 2025, attackers exploited a GitHub Actions injection vulnerability inside Nx’s workflow, using a manipulated pull request title to run shell commands and extract the company’s NPM publishing token. With that access, they published malicious versions of trusted Nx packages. Once installed, those packages hijacked local AI command line tools to scan victim systems for credentials, SSH keys, and crypto wallets.

Threat Intelligence
CrashOne - A Starbucks Story - CVE-2025-24277
Csaba Fitzl & Gergely Kalman

22 min read

CrashOne - A Starbucks Story - CVE-2025-24277

On a cold autumn day in Budapest in 2024, I met independent security researcher Gergely Kalman at a local Starbucks to swap ideas, dead ends, and updates on our research. Over coffee, we started talking about crash logs, and that’s when we stumbled onto something big.

Threat Intelligence
The Top Cyber Threats Facing SMBs in 2025
Calvin So

3 min read

The Top Cyber Threats Facing SMBs in 2025

Small and midsize businesses (SMBs) are under siege. Attackers know these organizations often run lean IT teams with limited budgets, making them prime “path of least resistance” targets.

Threat Intelligence
Brewing Trouble: Homebrew Spoofed Sites on the Rise
Adam Kohler & Christopher Lopez

5 min read

Brewing Trouble: Homebrew Spoofed Sites on the Rise

In September 2025, Iru's security researchers identified multiple spoofed Homebrew installer sites designed to mimic the official brew.sh page. These replicas injected malicious payloads under the guise of a standard install. In this post, we examine the tactics, infrastructure, and impact of the campaign.

Threat Intelligence
The Vulnerability Data Crisis: Why You Can't Trust Your Security Tools
Shwena Kak

5 min read

The Vulnerability Data Crisis: Why You Can't Trust Your Security Tools

How data processing delays, inaccuracies, and systemic challenges in the National Vulnerability Database are impacting security teams and what you can do about it.

Threat Intelligence

Stay up to date

Iru's bi-weekly collection of articles, videos, and research to keep IT & Security teams ahead of the curve.