The hit
The dashboard was green. The backdoor was still running.
I was technical enough to be targeted, not immune.
It came in through a trusted install on a Mac where I ran as admin.
For about three months, an AMOS/Poseidon-class infostealer ran as me, masquerading as Apple processes. One process wrote my login password to a hidden file; another kept running after antivirus said the machine was clean.
That meant every password, API key, SSH key, cloud token, and browser session that machine had touched had to be treated as already stolen.
Read the compressed incident note
The painful part was not only finding malware. It was realizing how much access sat within reach of anything running under my user account. Once trust was gone, the only sane path was wipe, reinstall, rotate credentials, rebuild the machine, and rethink what should have been reachable in the first place.
Why it matters
The obvious advice did not match the actual problem.
The useful guidance was scattered. The recovery sequence was the missing piece.
- Admin-by-default riskDaily work had too much reach when one bad install ran as me.
- False confidenceAntivirus reported clean while a disguised process remained loaded.
- Credential sprawlBrowser sessions, keys, and tokens created a larger blast radius.
- No clear runbookThe hardest part was knowing what to rotate, wipe, check, and rebuild first.
What you get
A practical Mac hardening and recovery playbook.
Not antivirus. Not a magic app. A calm sequence for raising the bar before a bad run and recovering faster after one.
- Threat model: how infostealers reach developers through installers, Terminal-paste lures, malicious packages, and dev-tool trust.
- Hardening checklist: safer defaults, credential hygiene, browser/session cleanup, and reduced day-to-day blast radius.
- Egress and monitoring notes: what to watch and how to make strange behavior easier to notice.
- Post-infection recovery: the order of operations for wipe, reinstall, rotation, account review, and rebuild.