I’ll keep this short. It was late, I was doing some Mac cleanup and found a command online. Wasn’t thinking, ran it. About 30 seconds later my brain caught up and I was like — what the hell did I just do. It was one of those base64-encoded curl-pipe-to-shell things. Downloads and executes a script before you even see what’s inside. I was already in a Claude Code session, so I pasted the command and asked if I just got hacked. Within minutes it: Decoded the obfuscated command and identified the malicious URL hidden inside Found the malware binary ( ~/.mainhelper ) actively running on my system Found a persistence loop that restarted the malware every second if killed Found a fake LaunchDaemon disguised as com.finder.helper set to survive reboots Found credential files the malware dropped Killed the processes, deleted the files, walked me through removing the root-level persistence Checked file access timestamps and figured out exactly what was stolen — Chrome cookies, autofill/card data, and Apple Notes were all accessed at the exact second the malware ran Confirmed my Keychain was likely NOT compromised by checking ACLs and security logs Wiped the compromised Chrome data to invalidate stolen session tokens Ran a full sweep of LaunchAgents, LaunchDaemons, crontabs, login items, shell profiles, SSH keys, DNS, and sudoers to make sure nothing else was hiding The whole thing from “did I just get hacked” to “you’re clean” took maybe 15 minutes. I don’t think I would have caught half of this on my own. Heck I don’t even fully have the knowledge to secure myself on my own. Especially the LaunchDaemon that would’ve re-infected me on every reboot. Not a shill post. I genuinely didn’t expect an AI coding tool to be this useful for incident response. Changed my passwords, moved my crypto, revoked sessions. But the fact that it not only walked me through the full forensics process in real time but actually killed the malware was honestly impressive. submitted by /u/Mission-Elk54
Originally posted by u/Mission-Elk54 on r/ClaudeCode
You must log in or # to comment.