Shit coffee drinker

Cisco Talos research exposes LOOBins (Living Off the Orchard): attackers weaponizing native macOS automation features for execution and lateral movement. 45% of enterprises now use macOS, yet detection for these techniques lags significantly behind Windows coverage. Key findings: • Remote Application Scripting via eppc:// protocol enables command execution through https://t.co/jYOJ6l12e1 proxy, bypassing standard process spawning detection (T1072) • Spotlight metadata (kMDItemFinderComment) can store Base64 payloads entirely in extended attributes, evading file-based scanning • Native tools like osascript, nscurl, and TFTP/SNMP services enable complete attack chains without custom binaries • Techniques abuse legitimate DevOps automation features that security teams rarely monitor Detection gaps: • Process lineage: launchd → AppleEventsD → Terminal → bash indicates Remote Application Scripting abuse • Network: Inbound TCP/3031 (eppc) traffic should be rare on most enterprise networks • Metadata: Monitor mdls queries for kMDItemFinderComment attribute access patterns Hunt for unusual parent-child relationships involving https://t.co/GPzggXUSIi with network activity, and implement TCC automation restrictions via MDM. #DFIR_Radar

YaraXGUI Improvements HexEditor, Yara Match Table to show all matches found. It supports more tab, yara formatting fixed as well. We can browse for rules and filter files that we want to scan this time. Hex editor is added with the goal to make it more hassle free. Within the hexeditor, we can also apply changes, do basic diffing, mark multiple regions and send to YARA editor. Also included a way to select multiple regions and gaps within each regions can be set a wildcard so we do not need to calculate each size. Can now do disassembly of selected region (capstone), draw basic CFG to do quick checks (maybe for certain obfuscation technique or unique code blocks). Simple parsing for PE and ELF file. Added a wonky and (not-so-reliable) autocomplete (NOT based off parser) but good enough I guess for my workflow). To try the new version: https://t.co/hrTWvxatgY

A Rust dev just killed Headless Chrome. It's called Obscura. The open-source headless browser purpose-built for AI agents and scrapers at scale. Chrome vs Obscura: - Memory: 200MB+ → 30MB - Binary: 300MB+ → 70MB - Page load: 500ms → 85ms - Startup: 2s → Instant - Anti-detect: None → Built-in Single binary. No Node, no Chrome, no dependencies. Stealth mode is brutal: → Per-session fingerprint randomization (GPU, canvas, audio, battery) → 3,520 tracker domains blocked by default → navigator.webdriver masked to match real Chrome → Native function masking so detectors can't sniff it out Drop-in replacement for Puppeteer and Playwright over CDP. Zero code changes. If you run agents or serious scraping at scale, this repo prints money. 100% Opensource.

New MAD Bugs drop: we had Claude reverse Apple's macOS 26.4 SMB patch end-to-end and build a kernel PoC from just the advisory. CVE-2026-28825, heap OOB in smbfs.kext, reachable by clicking on any smb:// link in Finder, Safari, or Messages. Root cause is a missing bounds check on an attacker-controlled compress length. The fun part is in Apple's own source: the check was there. A developer wrapped it in #if 0 because Windows Server kept tripping it, left a comment about it, and shipped. The entire reversing, root-cause analysis, and PoC build was driven autonomously by Claude. We handed it the advisory URL and came back to a working panic. It even blamed Microsoft for everything. Full writeup: https://t.co/mlKG3e8icn