The Iru Blog

macOS Malware Analysis: Music Plugin DMG Loader

The Security Implications of OpenClaw and Autonomous AI Agents

The hidden risks of the Homebrew Cellar in Vulnerability Management

In the modern macOS ecosystem, Homebrew is a staple: the engine under the hood in software engineers' day to day development, and a productivity enhancer for macOS power users. However, its convenience and ubiquity may introduce a significant blind spot for security teams if they lack visibility into the "Cellar" - the specific location where Homebrew stores its binaries, known as formulae. Its hidden dependencies, lingering outdated binaries, and relaxed permissions can create serious security gaps. When a workstation may be the gateway to cloud and production systems, those gaps matter.

The Dangers of Cracking Tools

This blog article highlights one particular risk that arises from using various tools to crack software: introducing vulnerabilities to their environment. This article provides a general overview, examines past cases, and dives into an actual local privilege escalation vulnerability we uncovered in a macOS software cracker.

Analyzing the MonetaStealer macOS Threat

On January 6, 2026, security researchers at Iru discovered a suspicious Mach-O binary masquerading as a Windows .exe file. Investigation revealed the file is a PyInstaller-compiled binary that executes malware hidden within a .pyc file. Researchers named the malware MonetaStealer. The malware contains limited capabilities and lacks anti-analysis/persistence mechanisms. Researchers believe it is still in its very early development phase and relies heavily on AI code. MonetaStealer maintains a zero-detection rate on VirusTotal as of the time of writing.

Investigating Shai-Hulud: Inside the NPM Supply Chain Worm

On August 26, 2025, attackers exploited a GitHub Actions injection vulnerability inside Nx’s workflow, using a manipulated pull request title to run shell commands and extract the company’s NPM publishing token. With that access, they published malicious versions of trusted Nx packages. Once installed, those packages hijacked local AI command line tools to scan victim systems for credentials, SSH keys, and crypto wallets.

CrashOne - A Starbucks Story - CVE-2025-24277

On a cold autumn day in Budapest in 2024, I met independent security researcher Gergely Kalman at a local Starbucks to swap ideas, dead ends, and updates on our research. Over coffee, we started talking about crash logs, and that’s when we stumbled onto something big.

The Top Cyber Threats Facing SMBs in 2025

Small and midsize businesses (SMBs) are under siege. Attackers know these organizations often run lean IT teams with limited budgets, making them prime “path of least resistance” targets.

Brewing Trouble: Homebrew Spoofed Sites on the Rise

In September 2025, Iru's security researchers identified multiple spoofed Homebrew installer sites designed to mimic the official brew.sh page. These replicas injected malicious payloads under the guise of a standard install. In this post, we examine the tactics, infrastructure, and impact of the campaign.

The Vulnerability Data Crisis: Why You Can't Trust Your Security Tools

How data processing delays, inaccuracies, and systemic challenges in the National Vulnerability Database are impacting security teams and what you can do about it.

Finding Vulnerabilities in Apple Packages at Scale

This article summarizes work we performed in 2024, which we shared in our “Finding Vulnerabilities in Apple Packages at Scale” talk at MacDevOpsYVR and SecurityFest conferences earlier this year. You can watch the full presentation below:

Threat Detected: RustyPages Malware - Part I

On August 13 2025, Iru's security researchers discovered a potentially interesting Rust-compiled file on VirusTotal. Our investigation resulted in the analysis of 6 related Mach-O files. With this initial blog post, we're focusing on the first file of this analysis, the dropper. The dropper file is designed to quietly download and run another malicious file, stay on the system by setting up persistence, and avoid being detected by commonly used macOS security tools. We have included the hashes of the relevant Mach-O files currently on VirusTotal in the IOC section below in an effort to shed light on these samples quickly while we continue our analysis of the loader samples. At the time of writing, the specific Mach-O we cover below has zero detections on VirusTotal and most of the loader Mach-O files are also undetected.

Iru Quarterly Threat Intelligence Report - August 2025

Welcome to the Iru Threat Intelligence Report, our quarterly summary of emerging threats in the macOS ecosystem and how Iru is responding in real time. In each edition, we break down key threat discoveries and the protections we’ve deployed to keep customer devices secure.

Dissecting the macOS 'AppleProcessHub' Stealer: A Technical Analysis

On May 15, 2025, the security research team MalwareHunterTeam (@malwrhunterteam) identified a suspicious file named libsystd.dylib with low detection—only 2 at the time of posting— which appeared to be an infostealer.