Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

macOS XPC trusted software verification lets a non-root user abuse cached signature trust to call privileged helper functions without authentication, opening a route to disable or remove EDR and MDM tools. XM Cyber traced the flaw to the way signed apps and their root helpers trust CDHash-based callers. The technique can inherit a legitimate app's trusted status, then invoke sensitive helper methods with no authentication. The result is a broad tamper-protection bypass across many macOS applications.

Related Happenings

CERT/CC UEFI DBX mitigation for vendor-signed applications

Advisory/Mitigation
H score28 First: 19.06.2026 21:33 Last: 19.06.2026 21:33 Sources 1

About this happening: **CERT/CC** issued mitigation guidance to apply **UEFI Forbidden Signature Database (DBX)** updates, reducing **Secure Boot bypass** risk for affected vendor-signed **UEFI applica...

Open Happening

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Open Happening

MacOS living-off-the-land analysis exposing native-feature abuse

Technical Analysis
H score20 First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...

Open Happening

MacOS LOTL detection and hardening guidance against native-tool abuse

Defensive Guidance
H score17 First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...

Open Happening

GhostLoader staged npm install payload activity

Malware Activity
H score30 First: 24.03.2026 14:00 Last: 24.03.2026 14:00 Sources 1

About this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...

Open Happening

Timeline

  1. 25.06.2026 14:00 2 articles · 3h ago

    XM Cyber discloses macOS XPC trust bypass affecting EDR and MDM tools

    Initial Disclosure

    XM Cyber disclosed a macOS privilege-escalation technique that lets a standard local user abuse cached XPC trust and signed app behavior to call privileged helper functions without authentication. The technique can be used to run commands or shut down apps and system extensions, fully unloading CrowdStrike's Falcon sensor from a standard user account and undermining detection, process monitoring, and network visibility; CrowdStrike added detection and prevention across supported macOS sensor versions, and Kandji's MDM agent was fixed and assigned CVE-2026-39118.

    Show sources
    Open in new tab