technically, rug pulls arent really theft. I mean, they are, but legally, you bought a coin, with likely no promises, not even knowing who the dev is etc, thats on you. Your transaction getting interupted by malware is outright theft. I have a friend who had 100k stolen by a sim card swap, he contacted coinbase, and they contacted police, and they actually caught the guy.

 

dox-gate? what was that?

 

you can see everything this installer tries to do in Suspicious Package. https://mothersruin.com/software/SuspiciousPackage/

Suspicious Package shows about 2500 warnings on this one installer. File size mismatches, stuff that show it wants to use "admin" when it actually tries to get Wheel (root).

The version of "coreaudio.app" will not even run on Mojave.

With the comment above that sounds like "conspiracy theory" re: "dox-gate", it would not surprise me at all if they were related. It's not a "stolen release" in the normal sense, with someone trying to gain money or credit for someone else's work. It's like someone melting a trojan server into MS Paint but made attractive to possible downloaders of Fabfilter plugins.

Consider the timing. Maybe keep your eyes open for some Windows attempt with something else.

 

Last edited: Mar 1, 2025 at 9:23 AM

...and those f'ers just reposted it....

I know the mods have to deal with whack-a-mole sometimes, and there aren't enough hands on deck to manually approve posts I imagine in a timely fashion, but there is a solution in need of finding here I think....

 

Another dodgy release... stay on your toes everyone. I think we need more vetting of uploads by new teams/uploaders now.

 

GMATIC eh? Good to know if I ever see any "releases" by that group for winOS to simply ignore em...

 

Thank you to the community for all the additional information.

I have a full backup of my system prior to the installation. I’m not sure if it a nuclear option to revert to that if I’ve simply removed the “CoreAudio.app”.

One earlier post indicated that simply removing the app would be OK and the only threat would be if one had transacted in crypto presumably after launching the dodgy app, due to the presence of a keylogger.

But another post indicates that there were 2500 warnings against the app when they inspected the package contents. Seems like there may be more to it than simple removal.

 

GMatic just posted Rev1 .. what a dick!

 

Good it wasn't a DOGE Coin stealer, my stuff is safe

 

While I would feel safe just deleting "CoreAudio.app" and the plugins; the reason why for me is because I do not have SIP disabled, and because I know my firewalls are not going to just allow something like that out to send any data ex: telemetry or passwords. I went through all the receipts and post-install scripts. The only one that calls Coreaudio.app is the post install script for Simplon.

But if I had a brand new time machine backup, i'd go back to it anyway.

 

Just in case anyone downloads something suspicious in future, and they want to know immediately if the file is a potential virus (or other form of nasty) make a note of this site:-

https://virusscan.jotti.org/


You can upload the file to this site and they will search through lots of different virus checkers, and let you know if it is safe/ dangerous..

I take it as if 3 or over are reporting it as a virus, then it isn't a false positive!

 

I double check most releases with Pacifist (Mac). Some releases (e.g. Moria) are zipped and unzip to “root” for installing. This together with passwords for “Keychain” can get you into real trouble. I can trust people with solid releases in the past - the problem starts when/if they get hacked! Better still to install in a backup operating system. SIP disabled is OK if you know what you’re doing! Still I’ll be cautious for internet use. Unfortunately the Mac crowd is full with newcomers lately who spend big $$ for a new M4… but they expect free software. These are the people who are most vulnerable.. so

 

Sorry but this just doesn't apply to any well-done new attack.

 

Tend to agree there. If it turns out to be something brand new and/or unique that doesn't adhere to any known quantities, odds are it will slide right past any scanners.

 

To the 2 above me. How do you think these companies find OUT about new attacks hmm? By reporting to that site, they send them to the companies for immediate checking. I thought you especially @saccamano would appreciate the importance of such!

 

Unfortunately I installed. Can you tell me if deleting core audio and reinstalling the latest version of hciso is safe? Thanks