technically, rug pulls arent really theft. I mean, they are, but legally, you bought a coin, with likely no promises, not even knowing who the dev is etc, thats on you. Your transaction getting interupted by malware is outright theft. I have a friend who had 100k stolen by a sim card swap, he contacted coinbase, and they contacted police, and they actually caught the guy.

 

dox-gate? what was that?

 

you can see everything this installer tries to do in Suspicious Package. https://mothersruin.com/software/SuspiciousPackage/

Suspicious Package shows about 2500 warnings on this one installer. File size mismatches, stuff that show it wants to use "admin" when it actually tries to get Wheel (root).

The version of "coreaudio.app" will not even run on Mojave.

With the comment above that sounds like "conspiracy theory" re: "dox-gate", it would not surprise me at all if they were related. It's not a "stolen release" in the normal sense, with someone trying to gain money or credit for someone else's work. It's like someone melting a trojan server into MS Paint but made attractive to possible downloaders of Fabfilter plugins.

Consider the timing. Maybe keep your eyes open for some Windows attempt with something else.

 

Last edited: Mar 1, 2025

...and those f'ers just reposted it....

I know the mods have to deal with whack-a-mole sometimes, and there aren't enough hands on deck to manually approve posts I imagine in a timely fashion, but there is a solution in need of finding here I think....

 

Another dodgy release... stay on your toes everyone. I think we need more vetting of uploads by new teams/uploaders now.

 

GMATIC eh? Good to know if I ever see any "releases" by that group for winOS to simply ignore em...

 

Thank you to the community for all the additional information.

I have a full backup of my system prior to the installation. I’m not sure if it a nuclear option to revert to that if I’ve simply removed the “CoreAudio.app”.

One earlier post indicated that simply removing the app would be OK and the only threat would be if one had transacted in crypto presumably after launching the dodgy app, due to the presence of a keylogger.

But another post indicates that there were 2500 warnings against the app when they inspected the package contents. Seems like there may be more to it than simple removal.

 

GMatic just posted Rev1 .. what a dick!

 

Good it wasn't a DOGE Coin stealer, my stuff is safe

 

While I would feel safe just deleting "CoreAudio.app" and the plugins; the reason why for me is because I do not have SIP disabled, and because I know my firewalls are not going to just allow something like that out to send any data ex: telemetry or passwords. I went through all the receipts and post-install scripts. The only one that calls Coreaudio.app is the post install script for Simplon.

But if I had a brand new time machine backup, i'd go back to it anyway.

 

I double check most releases with Pacifist (Mac). Some releases (e.g. Moria) are zipped and unzip to “root” for installing. This together with passwords for “Keychain” can get you into real trouble. I can trust people with solid releases in the past - the problem starts when/if they get hacked! Better still to install in a backup operating system. SIP disabled is OK if you know what you’re doing! Still I’ll be cautious for internet use. Unfortunately the Mac crowd is full with newcomers lately who spend big $$ for a new M4… but they expect free software. These are the people who are most vulnerable.. so

 

Sorry but this just doesn't apply to any well-done new attack.

 

Tend to agree there. If it turns out to be something brand new and/or unique that doesn't adhere to any known quantities, odds are it will slide right past any scanners.

 

Unfortunately I installed. Can you tell me if deleting core audio and reinstalling the latest version of hciso is safe? Thanks

 

Unfortunately, that logic doesn't apply because you wouldn't be able to install any legitimate R2R release for example or any other release that uses a keygen. Just try for yourself, any Keygen gets flagged by the majority of virus checkers.

It's a handy tool but it doesn't guarantee anything. Many releases get flagged as "generic malware" because the virus checkers detect that something "unusual" is going on or that the installer used in releases are not verified.

 

They use heuristics. It detects patterns and behaviors in the coding of the malware. The amount of ways they can detect that something "resembles" a virus or other malware is very long, but if you are up for some technical reading, have at it. It does not solely rely on submitted samples. Based on all those factors, if a "brand new file" is undetected; it will stay that way until it is detected by other means. Look up those too, because there are many more than I'm typing. Once it is flagged as malware, it results in faster detections when future samples are submitted. Until that time, it's going to tell you it is undetected.

None of that means it is not worth submitting samples. It just means that you can't depend on it, or expect it to be correct 100% of the time. It's like a lie detector test for people. Someone who knows what they are doing can beat the test.

 

If this helps

 

wow. i downloaded it but didn’t install it because HC had ff pq4 directly after. crazy.

 

im not sure if that's all that needs to be done, but yes, definitely delete that app. If you work with crypto at all, do not do any work on the device you installed on, until you can figure out if its for sure safe.