v1.12.5 Alpha

Exoskeleton
for your Mac.

Catches malware, credential theft, and rogue AI agents on your Mac. Built on Apple's Endpoint Security framework. Runs entirely on-device — no cloud, no account.

  • 469+ detection rules, Sigma-compatible
  • Supply-chain worm detection (Shai-Hulud-class npm attacks)
  • AI coding tool guardrails — Claude Code, Codex, Cursor, Copilot
  • Agent Traces — see what your AI tools actually did

Iterating fast — expect false positives and frequent updates. Changelog · Report an issue

Install with Homebrew View on GitHub 
$ brew tap peterhanily/maccrab https://github.com/peterhanily/maccrab
$ brew install --cask maccrab
MacCrab dashboard Overview workspace — a green banner reads 'Protected — system is secure · Live data flowing, 16 collectors active' above KPI tiles showing Security Grade A−, 10 Open Alerts, 9 Active Campaigns, Event Rate 126 events per second, AI Guard and Threat Intel status. Below: a 7-day alert volume bar chart and a Recent activity list. Left sidebar workspaces: Overview, Alerts, Events, Investigation, Detection, Prevention, Intelligence, System, Docs.
Detection

See what's happening, as it happens.

MacCrab listens to Apple's Endpoint Security feed — the same kernel-level events macOS gives to security tools. It turns that firehose into readable alerts, on your machine.

⚙︎

AI coding tool guardrails

Claude Code, Codex, Cursor, and Copilot are powerful — and sometimes they wander. MacCrab watches for credential reads, project-boundary escapes, prompt injection, and rogue MCP servers.

ai_guardagent_tracesagent_lineagemcp_serverprompt_injection

Agent Traces

See every file your AI agent touched, every command it ran, every network call it made — tied back to the exact prompt that caused it. OpenTelemetry over a local loopback, encrypted at rest, with vendor secrets scrubbed at the wire.

w3c_traceparentopentelemetryotlp_receiveraes_gcm

Supply-chain worms

Shai-Hulud-class npm worms steal a maintainer's npm token, then publish themselves into every package that maintainer owns. MacCrab fires when a credential read and a registry publish happen in the same process tree within a minute. Plus typosquat scoring, attestation checks, and canary CLAUDE.md / .claude/skills/ decoys that AI agents will read but humans won't.

shai_huludsigstoretyposquathoney_promptsbayesian_intent

Persistence & malware

LaunchAgents, dylib hijacks, quarantine-stripped payloads, kernel extensions, TCC bypasses, quick-look plugins, folder actions — 469+ Sigma-compatible rules across 17 tactic categories.

sigmamitre_att&ck469+rules

Credential theft

Keychain dumps, browser password-store reads, SSH-key exfiltration, AWS credential access. Honeyfile tripwires drop at the usual credential paths to catch what rules miss.

keychainhoneyfilesbrowser_ext

Attack campaigns

Multi-step attacks stitched together by process lineage and time. When a browser spawns a shell that strips quarantine and installs a LaunchAgent, you see one campaign — not four loose alerts to piece together by hand.

kill_chainuebalineage_dag
Dashboard

Native Mac. Keyboard first.

A SwiftUI menubar app organised into nine workspaces — Overview, Alerts, Events, Investigation (Agent Traces, visual TraceGraph), Detection, Prevention, Intelligence, System, and Docs. Or skip the GUI entirely and drive it from the CLI.

MacCrab Alerts workspace — severity counter strip (24 critical, 9 high, 0 medium, 0 low, 1 info), a triage table with multi-select, bulk-suppress, and export actions, and a right-pane detail view for a TCC Bypass via Process Injection into Protected App Bundle alert with ATT&CK technique chips, an Analyst pill row, suppression candidates, and Investigate-in-Events and Open-rule actions.
Alerts Multi-select triage, rule-fingerprint clustering, suppressions viewer, and a detail pane with ATT&CK chips and one-click pivot into Events.
MacCrab Detection workspace — Rules tab showing the built-in rule browser with New-rule and Reload actions. The table lists detections including Unexpected MDM Profile Installation, Keychain or Credential Dump over SSH Session, Ad-Hoc Code Signing of Binary, SSH Agent Socket Access by Unexpected Process, and AI Coding Tool Runs Sudo — each with category, severity, MITRE tag, and source.
Detection Browse every built-in rule, write your own, and tab through Rules, AI Guard, Sequences, and MCP detection layers.
MacCrab Intelligence workspace, Threat Intel tab — "Add custom feeds & IOCs" panel describes built-in abuse.ch feeds (URLhaus, MalwareBazaar, Feodo Tracker) refreshed every 4 hours keyless. A Managed feeds row shows badges for abuse.ch URLhaus, MalwareBazaar, Feodo Tracker, VirusTotal, GreyNoise, and AlienVault OTX. An LLM provider API keys panel notes abuse.ch is keyless. Stat tiles read 3 feeds, 140 total IOCs, 0 matches in the last 24 hours, and 0 stale entries. A Threat intel feeds table at the bottom lists Feodo, MalwareBazaar, and URLhaus rows with kind, entry counts, last-fetch timestamps, and HEALTHY status.
Intelligence abuse.ch feeds keyless out of the box; drop your own hashes, IPs, or domains in threat_intel/, or bring VirusTotal / GreyNoise / OTX keys for managed feeds.
MacCrab System workspace, Health tab — KPI strip shows daemon running with 3 minute uptime, 16 collectors all healthy, 1.1 events per second rolling, 7,600 events lifetime, 0 alerts, memory resident. The Collectors table lists BrowserExtensionMonitor, ClipboardMonitor, DNSCollector, EDRMonitor, ESCollector, EventTapMonitor, FSEventsCollector, MCPMonitor, NetworkCollector, RootkitDetector, SystemPolicyMonitor, TCCMonitor, TEMPESTMonitor, USBMonitor, UltrasonicMonitor, and UnifiedLogCollector — all reporting HEALTHY with event counts and last tick times.
System health Daemon uptime, event rate, and every active collector — Endpoint Security, Network, TCC, Rootkit, USB, Ultrasonic, and the rest — surfaced live.
Or from the CLI
Current release

What ships in v1.12.5.

469+
Detection rules
39
Sequence rules
17
Tactic categories
5
LLM backends
1490
Tests passing
Privacy

Your data. Your device.

Detection data is a full picture of what's happening on your machine — it should stay there. MacCrab keeps events in a local SQLite database, runs analysis on-device by default, and ships no telemetry unless you turn it on.

On-device by defaultFleet telemetry, threat-intel feeds, and cloud LLM backends are opt-in switches, not defaults.
No account requiredNo signup or license server. Install, approve the system extension, done.
Local LLM firstOllama is the recommended backend for AI analysis. If you choose a cloud backend, the sanitiser strips usernames, private IPv4 and IPv6 ranges, Mac ComputerName strings, Bearer tokens, and every known API-key shape (Anthropic, OpenAI, Google, AWS, GitHub, Slack, Stripe, Twilio, Postman, Cloudflare, DigitalOcean, Heroku, Vercel, npm, JWT, and 8 more) plus a Shannon-entropy fallback for unknown-vendor secrets, before anything leaves your Mac.
Audit the sourceMacCrabCore is Apache 2.0. Every collector, rule, and sanitiser is on GitHub for you to read.
Install

Up and running in a few minutes.

macOS 13 Ventura or later. On first launch you'll approve the system extension in System Settings → Login Items & Extensions, and grant Full Disk Access for complete event coverage.

Homebrew Recommended

Cask install with auto-update. Drops the signed app in /Applications and the CLI in your path.

brew tap peterhanily/maccrab \
  https://github.com/peterhanily/maccrab
brew install --cask maccrab

Direct DMG

Grab the signed DMG from GitHub Releases. Drag MacCrab.app to /Applications, then approve the system extension on first launch.

open https://github.com/\
  peterhanily/maccrab/releases/latest

From source

Swift 5.9 + Xcode 15. Builds the seven SPM targets (core, agent kit, sysext, legacy daemon, CLI, MCP server, app) with ad-hoc signing for development.

git clone https://github.com/peterhanily/\
  maccrab.git && cd maccrab
make dev
Frequently asked

Common questions.

Short answers to what people ask most. For the long-form versions, see the README, privacy policy, and security policy.

What is MacCrab?
MacCrab is a local-first macOS threat detection engine. It uses Apple's Endpoint Security framework, 469+ Sigma-compatible detection rules, behavioural scoring, campaign correlation, and Agent Traces (W3C TRACEPARENT correlation between AI-agent activity and kernel events) to surface suspicious activity on your Mac — entirely on-device, with no cloud console or account.
Does MacCrab replace my antivirus?
No. MacCrab complements macOS's built-in defences (Gatekeeper, XProtect, MRT) and existing antivirus products. It focuses on behavioural detection and Sigma-rule threat hunting rather than signature-based scanning, so the two are additive.
Is any of my data sent to a cloud service?
Not by default. MacCrab stores events in a local SQLite database and runs analysis on-device. Fleet telemetry, threat-intelligence feeds, and cloud LLM backends are opt-in. When a cloud backend is enabled, usernames, private IPs, and hostnames are automatically redacted before any request leaves your Mac.
Which macOS versions does MacCrab support?
macOS 13.0 Ventura or later. On first launch you approve the System Extension in System Settings → General → Login Items & Extensions → Endpoint Security Extensions, then grant Full Disk Access for complete event coverage.
How does MacCrab compare to Santa or osquery?
They solve different problems. Google's Santa is a binary allow/deny authorisation policy engine. osquery is a scheduled SQL query engine with a large ecosystem. MacCrab is real-time, Sigma-rule-based threat detection with behavioural scoring and campaign correlation. All three can run alongside each other.
Is MacCrab open source?
Yes. MacCrabCore is Apache 2.0 licensed and hosted at github.com/peterhanily/maccrab. Every collector, detection rule, sanitiser, and the daemon entry-point is readable.
How do I report a security vulnerability?
Email maccrab@peterhanily.com rather than opening a public GitHub issue. MacCrab follows responsible-disclosure practices documented in SECURITY.md.