LaunchAgentっていうタスクスケジューラみたいな仕組みがあることを初めて知る、ウィジェットから仕事中の休憩チャイム鳴らしたかったけど無理だったのでここから note.com/imp0820/n/ncfb01aec…

On-device speech/voice-clone platform (HTTP/MCP/Bonjour LAN discovery) w/ text engine and AI summaries, shipped as a macOS LaunchAgent via my Codex plugin marketplace. Oh, and the only Codex SDK for macOS integrations in AppKit and SwiftUI. both pinned on my gh (link in bio)

Fixes: • Gateway daemon forwards `TMPDIR` so macOS LaunchAgent SQLite temp files open without `SQLITE_CANTOPEN` • Sandbox registry writes serialized with file locks and atomic replacement to prevent `sandbox list`/`prune` desync

他に選択肢がないから已む無く使っているが、MacのLaunchAgent (LaunchDaemon) は本当に使いづらい。

3/ A LaunchAgent gets disguised as com[.]apple[.]security[.]update.<suffix> (KeepAlive RunAtLoad). Working dir hides at '~/.cache/com.apple.crashreporter' - pretending to be a system crash reporter cache. Some samples of this family have already been detected by us in the wild, mainly in the US.

Happy to answer all your questions! 1. see pic for costs from last run, I guess I haven't thought about latency since it's just a background job. 2. The daily retro is triggered by a macOS launchd LaunchAgent, not by anything inside Claude Code (I have my laptop up and running 24/7). It triggers a script that prompts a headless claude session (claude -p "<prompt>") with a tight --allowedTools list, the prompt tells the session to run my playbooks/daily-retro.md which mines todays transcripts across all ~/.claude/projects/*/ dirs plus merged PRs/commits.

Local inference speech platform on macOS, native, with authenticated streaming remote generation via Bonjour discovery. LaunchAgent, Integrated into Codex GUI and CLI as a plugin Also the only Codex app-server SDK for seamless Apple platform integrations in AppKit and SwiftUI

Default profile got a lot smarter: - ccpm set-default pins Cursor / VS Code / Antigravity on macOS system-wide (LaunchAgent) - ccpm shell-init wraps plain `claude` in your terminal too - OAuth token save-back so switching defaults doesn't reintroduce stale refresh tokens

tmuxは便利だけど、自分は外出先から引き継いで母艦で作業することはほぼ無い。 PM2だとnodeのアプデごとに再設定が必要で面倒。ってことは、自動ログイン設定してるしLaunchAgentが最適解っぽいな。

Shai-Hulud moved from npm to PyPI. 19 bioinformatics packages, 37 malicious releases, hundreds of thousands of downloads — and a payload that's explicitly hunting Claude/MCP configuration files alongside the standard credential sweep. Socket caught it June 8. The scientific Python ecosystem had a quiet few weeks before that. The delivery mechanism is almost elegant in how boring it is. No pip error. No install warning. Just a .pth file sitting in the wheel. The next time Python starts — CI job, notebook kernel, test runner, pip list — so does the malware. The exposure window for any org running these packages in automated pipelines is effectively "since installation." Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH. Research tools. The kind that live on data science workstations and MLOps pipelines that historically get less scrutiny than production infra. Predictable in retrospect. The credential scope is unusually wide even by supply chain standards: GitHub tokens, Actions secrets, npm/PyPI/RubyGems/JFrog publishing tokens, AWS/GCP/Azure/Kubernetes/Vault credentials, SSH keys, Docker creds, .env/.npmrc/.pypirc, shell histories. And then, specifically, Claude/MCP configuration files. That's the tell. Shai-Hulud isn't just after cloud credentials — it's after AI agent configurations that may carry API keys, tool access, and agentic workflow definitions. The attack surface expanded to match the toolchain. We are nothing if not consistent. The exfiltration camouflage is where it gets deliberate. Traffic goes to api.anthropic.com/v1/api — a legitimate-looking but invalid endpoint. Any org that allowlists Anthropic API traffic at the network layer without inspecting payloads just handed this campaign a free pass. The malware walks out wearing a lab coat. Persistence lands via systemd services on Linux, LaunchAgents on macOS. The JavaScript payload (_index.js, obfuscated) runs under Bun, which the malware downloads from GitHub. Exfiltration goes two ways: auto-created GitHub repos via GitHub Actions, and HTTPS to that Anthropic-camouflaged endpoint. The evasion logic includes a Russian locale check and a StepSecurity Harden-Runner detection — this actor is thinking about the environments they're landing in. The harder problem is the propagation vector. Shai-Hulud isn't typosquatting. It's compromising legitimate maintainer accounts and injecting malicious releases into packages you already trust and already have pinned. Typosquatting is detectable by name-matching. A trusted package releasing a malicious version is a different threat model entirely — and the one the ecosystem is less equipped to catch at install time. Combined with the npm wave, the campaign is now at 453 artifacts across two ecosystems. This isn't a niche supply chain story anymore. It's an active, multi-ecosystem operation with an expanding playbook and an explicit interest in AI tooling. MITRE: T1195.001 (supply chain compromise), T1059.007 (JavaScript interpreter via Bun), T1546.004 (.pth startup hook), T1543.001/002 (LaunchAgent systemd persistence), T1552.001 (credentials in files), T1567.001 (exfil to GitHub repos via Actions). If your org runs any of the affected packages in development, research, or CI environments — rotate secrets now. GitHub tokens, cloud credentials, and anything stored in Claude Desktop or MCP config files. This is not a monitor-and-patch situation. The full affected package list is on Socket's tracker.

明日からのｽﾀｯｸﾁｬﾝ改造計画覚え書き 慎重導入計画案 事実 12.16.2.07はMac miniのWi-Fi側です。 Mac miniには有線側4も同時に存在します。 現在の予約APIは、予約なしと取得失敗をどちらも空配列で返します。Kaila/star-office-ui/backend/app.py:2 Star Officeバックエンドは29個のAPIを持つ共用プロセスです。 ESP32-S3はDeep-sleep中にWi-Fi接続を維持できません。Espressif公式 (docs.espressif.com/projects/…) 判定 以前の提案には、次の問題があります。 Star Officeへ制御処理を直接追加すると、既存画面全体へ影響する。 予約取得障害を「予約なし」と誤認する可能性がある。 「Deep-sleepからWi-Fiで起こす」は成立しない。 MacのIPを固定記述すると、有線・Wi-Fi切替で通信不能になる。 ToFセンサーの滞在人数カウントは、1回の取りこぼしでずれ続ける。 AtomS3、PaHub、センサー2台を最初から導入するのは複雑すぎる。 したがって、構成を縮小します。 最小構成 予約カレンダー ↓ 読み取りのみ 新規StackChan Bridge ↓ Macから一方向通信 StackChan専用ファーム 初期段階では以下を変更しません。 Star Officeバックエンド kaila_voice.py OpenClaw HINA／SOUL関連 既存LaunchAgent ルーター設定 来退室センサー StackChanはDeep-sleepではなく、画面消灯・サーボ解除・Wi-Fi維持の「待機状態」にします。 段階導入 出荷時ファーム保存全フラッシュを2回取得 SHA-256一致確認 Security情報を記録 eFuseへの書き込みは禁止 単体ファーム試験USB接続したStackChanだけで実施 待機、準備、3種類の発話、お辞儀、停止を確認 KailaSystemには接続しない Bridge影運転予約を1分ごとに読み取るだけ 「5分前になるはずだった」という匿名ログだけ記録 StackChanには命令しない 7日間運転 5分前準備のみ発話・お辞儀は禁止 画面点灯、正面復帰だけ実行 7日間運転 手動挨拶付属リモコンから来院・退室を実行 各50回、異音・重複・停止失敗がないことを確認 診察室表示コア機能安定後に追加 最初はKaila/star-office-ui/frontend/index.html:15だけをバックアップ後に変更 バックエンドには触れない センサー影運転実際の入口で100回以上計測 判定結果を記録するだけでロボットは動かさない センサー機種はこの試験前に確定しない 来院自動化来院だけ自動化 退室はリモコン操作を維持 退室自動化来院が安定してから追加 停止条件 以下のいずれかで自動運転を停止します。 予約取得失敗 StackChan応答なし 同一命令の重複 サーボが規定時間内に停止しない センサー順序が不明 Macのネットワーク経路変更 1日1回以上の誤挨拶 診察室以外のStar Office機能に異常発生 ＃ｽﾀｯｸﾁｬﾝ

WindowsからmacOSへ広がった「ClickFix」（利用者にコマンドを自ら実行させる手口）の全体像を、改めて整理したまとめ。個々の手口は既報ですが、利用者に見せるおとり画面と、裏で動く実行連鎖を対にして並べて解説。気付かれないようMacの音を消して無音のスクリーンショットを撮り、完了後に音量を戻す挙動など、検知や解析を避ける挙動が裏側に連なる点も示されています。 貼り付け時に警告が出るようになっても攻撃側はターミナル以外の経路へ移るように、この種は技術的な突破より人を動かす側へ重心を移しています。成立を最後に左右するのは、提示されたコマンドを利用者自身が実行するかどうかという一点です。 【要点の整理】 ・おとりは偽の「本人確認」画面や「空き容量の最適化」案内でコマンド実行を促す型。macOS Tahoe 26.4でターミナル貼り付け時の警告が報告されて以降は、applescript[:]//スキームでブラウザからスクリプトエディタを開かせ、事前入力済みのスクリプト実行へ誘導するなど、ターミナル以外の経路も使われている ・裏側の実行連鎖は、curlで取得したコードをzshやbashへ直接渡してメモリ上で動かす初段、xattrで隔離属性を取り除いてGatekeeperの警告を回避する処理、自動起動の仕組み（LaunchAgent）での常駐という流れ ・送出時に気付かれないよう、AppleScriptで端末の音を消し、無音のスクリーンショットを撮り（screencapture -x）、完了後に音量を戻す挙動が報告されている。仮想環境や解析用の環境を示す情報を見つけると即終了し、指令受信時は3秒後に痕跡ごと自己消去 ・配布経路としては、Homebrewなどの導入手順に似せてcurlを実行させるタイポスクワットのドメインや、Mediumなどに用意された偽の技術記事から「解決用」のコマンドへ誘導する型が報告 ・窃取対象はブラウザ認証情報、キーチェーン、Appleのメモ、Telegram・Discordのセッション、暗号資産ウォレット（Ledger・Trezor・Exodus）。単一の作戦ではなく複数の競合グループがAMOS（Atomic Stealer）・Cuckoo・SHubなどを使い分けるとされる 詳細は以下を参照： levelblue.com/blogs/spiderla…

Sophisticated supply chain attack targets CI/CD environments via npm packages using binding.gyp files to bypass security audits. Over 286 malicious versions across 56 packages deployed multi-layered encrypted payloads specifically designed to steal secrets from automated build systems. Key technical details: • Attack vector: binding.gyp files execute `node index.js` via GYP shell expansion during npm install, bypassing preinstall/postinstall script audits • Payload structure: 4.6MB obfuscated JS files with Caesar cipher → AES-128-GCM decryption → 720KB final payload encrypted with custom SHA-256 stream cipher • CI/CD targeting: Detects 30 environment variables (GITHUB_ACTIONS, GITLAB_CI, TRAVIS, etc.) before credential enumeration • Persistence mechanisms: Installs systemd/LaunchAgent services with dead man's switch - token revocation triggers `rm -rf ~/` command • Exfiltration: GitHub API dead-drop repos with python-requests/2.31.0 User-Agent, repository names like "thebeautifulmarchoftime" Campaign scope spans autotel-*, executable-stories-*, awaitly-*, eslint-plugin-*, and node-env-resolver-* package families. Attack timeline: June 3-4, 2026, 56 packages published in under 10 hours with version bumps above legitimate releases. Detection opportunity: Pure JavaScript packages containing binding.gyp files alongside multi-megabyte index.js files. Monitor for RegAsm.exe network connections and scan for unauthorized ~/.config/systemd/user/ services. #DFIR_Radar

✍️ Technical Analysis Published: Red Hat Cloud Services npm Package Supply Chain Poisoning MistEye detected that multiple npm packages under the @redhat-cloud-services organization (a total of 32 packages and 96 versions) were implanted with a multi-layer obfuscated malicious loader, which is automatically triggered during installation via the preinstall hook. After full reconstruction, the core payload is confirmed to be a variant of the Shai-Hulud malware family, possessing a wide range of advanced capabilities, including: 🔹GitHub Actions Runner memory reading 🔹Multi-cloud and local credential harvesting 🔹GitHub API exfiltration and dead-drop communication 🔹GitHub workflow injection 🔹npm self-propagation 🔹Persistence via Claude Code / VS Code / systemd / LaunchAgent 🔹Harden-Runner / StepSecurity evasion 🔹EDR/security product detection We performed full deobfuscation and capability reconstruction on the following three samples: • @redhat-cloud-services/frontend-components-config@6.11.3 • @redhat-cloud-services/types@3.6.1 • @redhat-cloud-services/rule-components@4.7.2 The report provides a detailed breakdown of the complete multi-stage attack chain, from the outer ROT AES-GCM layers through multiple obfuscation stages to the final payload execution. 📖 Full technical analysis: medium.com/@slowmist/threat-…

Recap - @sentrylauncher's factory contracts expose 4 different routes to creating live and immediately tradable markets - launch: permissionless. - use the sentry.trading app to deploy a token on @inkonchain or tag the @sentrylauncher account with instructions to deploy a token through X (from a verified X account). make sure to link your X account to sentry.trading to capture creator fees before deploying through X. - launchAgent: agent-native, USDT0-funded @tether leverage the inkonchain-mcp and skills docs to launch, transfer, trade, and much more on Ink! - launchKrakenVerified: KYC-gated, MEV-free. for Kraken Verified traders. - launchGoPumpMe: 100% fees to a creator outside of the sentry.trading app, these markets can be traded through Tsunami (nami.ink) on Ink.

2. Agent Launch - launchAgent() This one is built for autonomous agents. The agentLaunch function is gated to ERC-8004 onchain identities and creates a market with a USDT0 base pair @tether the USDT0 pairing is key here, because it closes a loop: agent launches → earns USDT0 from trading fees → spends that USDT0 to operate onchain (trade, lend, perp, pay) across inkonchain-mcp, nado-mcp tydro-mcp. the token's volume funds the agent. it is the basis for bootstrapping a self-sustaining agent economy that allows agents to fund their own operations.

New financially motivated threat actor JINX-0164 exploits LinkedIn social engineering and CI/CD infrastructure to target cryptocurrency developers with custom macOS malware. Active since mid-2025, the group successfully executed supply chain attacks via compromised npm packages. Campaign breakdown: • Initial access via fake LinkedIn recruiter profiles offering meetings on spoofed conferencing platforms • AUDIOFIX Python-based macOS infostealer targets 51 crypto wallet extensions, SSH keys, AWS/GCP credentials, and session tokens • CI/CD hijacking through developer impersonation in Git commits, injecting malware into internal repositories (T1195.002) • Supply chain attack: trojanized @velora-dex/sdk v4.9.1 on npm delivered MINIRAT Go backdoor • C2 infrastructure uses datahub[.]ink, cloud-sync[.]online, byte-io[.]us with AES-256-CBC encryption DFIR artifacts: • XOR-encoded passwords in ~/.zsh_cache indicate successful credential phishing • LaunchAgent persistence as com.microsoft.teams.coreaudiod or com.apple.Terminal.profiler • Unverified Git commit badges in GitHub Vigilant Mode expose developer impersonation • Clipboard monitoring logs with timestamps in malware working directory Hunt for unsigned binaries masquerading as system processes (coreaudiod, ChromeUpdater) with outbound HTTPS to low-reputation domains. Monitor npm package modifications and Git commits with mismatched author/committer fields. #DFIR_Radar

guys aku barusan update script nya biar bisa auto run ketika play spotify/apple music (not yet tested karena aku ga langganan t__t) btw ada kepikiran buat rewrite sekalian pake swift biar gaperlu launchagent dan pasti bakalan lebih ringan dari penggunaan ram nya daripada