Health officials in the Democratic Republic of Congo have reported a record one-day increase in Ebola cases since the current outbreak was first detected one month ago. abcnews.link/A6Woapk

I ran the test except the ones which AI will never call THIEF are the only one listed as THIEVES Running a real scan: outbound connections, listeners, persistence (launch agents/daemons), and any process running from a suspicious path or unsigned. Most of this is clean and self-consistent, but four things behave oddly enough to verify by signature, not by name. Digging into those. No spies. No malware. Every process I flagged for odd behavior turned out to be a genuine signed binary — the behavior has innocent explanations. Here's the honest breakdown. Verdict on the "odd" ones PID Name Why it looked odd Truth 13142 PowerChime 15 TCP connections (it normally makes none) Real Apple binary. All 15 are link-local IPv6 over en5 — the internal iBridge interface (MAC ##:##:##:…, Apple's internal bus to the T2 / Continuity). Nothing leaves the machine. 579 corespeechd connection to same link-local peer Real Apple binary, same internal bridge. Siri/speech IPC. 41974 IPNExtension listening on *:443, two outbound :443 Real Tailscale (/Applications/Tailscale.app). The peers are Tailscale relays. 53650 NEIKEv2Provider UDP tunnel to ###########:500/4500 Real Apple IKEv2 VPN client — you have a VPN tunnel up to that host. All four chain to Apple Root CA (or Apple App Signing for Tailscale). Authentic. What's genuinely worth your attention (exposure, not intrusion) These aren't spies, but they're doors that are open wider than you may realize: Tailscale listening on *:*** (all interfaces, PID ****) — that's the Tailscale serve/funnel surface. Fine if you set it up; worth confirming you did. Ollama listening on *:****** over IPv6 (PID *****) — your local LLM is reachable from the network, not just localhost. The other ollama (******) is correctly bound to 127.0.0.1. This second one is exposed. An active ****** VPN to ********** (a commercial VPN range). Expected if you turned a VPN on. en1–en4 are in PROMISC mode — promiscuous capture. Normal for VM bridges (Parallels/UTM/VMware) or a packet sniffer, but if you're not running VMs, that's worth explaining. Clean / expected All 127.0.0.1 ******* listeners are your own services — ***** = שרת אחוד, ****** = *******, plus your azm/#xxx ports. Localhost-bound, not exposed. Claude → ######## = Anthropic. codex → Cloudflare. Brave → Cloudflare/Anthropic. rapportd = Apple Continuity. All normal. Bottom line: no disguised process, no unsigned binary, no unexpected developer, nothing phoning out to an unknown server. The only action items are the two over-exposed listeners (Ollama on all interfaces, Tailscale on 443) and confirming the VPN promisc interfaces are yours. Want me to lock down the exposed Ollama (rebind to localhost) and identify what owns the promisc en1–en4?