By the third or fourth week of November was the only time I realized I was hacked. Tinkering on my mac’s logs and system files showed that the attackers started observing what I was doing between the last week of Febrary to the first week of March. Ill try to write all four exploits that the attackers did in a different blog post. In the meantime, this article details the custom “hack” I set on my mac for additional protection. This may or may not work for everyone. Duplicate at yer own risk.

Things I did:

• Install XCode and CLI tools
• Deactivate remote management sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
• Remove Desktop Sharing sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
• Remove Apple Remote Desktop Settings

sudo rm -rf /var/db/RemoteManagement ; \
sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist ; \
defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist ; \
sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ ; \
rm -r ~/Library/Application\ Support/Remote\ Desktop/ ; \
rm -r ~/Library/Containers/com.apple.RemoteDesktop

• Uninstall Google Update ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall --nuke
• Show mail attachments as icons defaults write com.apple.mail DisableInlineAttachmentViewing -bool yes
• Enable developer menu and web inspector in safari

defaults write com.apple.Safari IncludeInternalDebugMenu -bool true && \
defaults write com.apple.Safari IncludeDevelopMenu -bool true && \
defaults write com.apple.Safari WebKitDeveloperExtrasEnabledPreferenceKey -bool true && \
defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2DeveloperExtrasEnabled -bool true && \
defaults write -g WebKitDeveloperExtras -bool true

• Focus follows mouse on terminal defaults write com.apple.Terminal FocusFollowsMouse -string YES
• Use plain text in TextEdit as default defaults write com.apple.TextEdit RichText -int 0
• Disable local backups sudo tmutil disable

User@user ~ % sudo tmutil disable
tmutil: disable requires Full Disk Access privileges.
To allow this operation, select Full Disk Access in the Privacy
tab of the Security & Privacy preference pane, and add Terminal
to the list of applications which are allowed Full Disk Access.

• Install CLI Tools xcode-select --install
• Disable icon bounce on Dock

defaults write com.apple.dock no-bouncing -bool false && \
killall Dock

• Enable Scroll Gestures

defaults write com.apple.dock scroll-to-open -bool true && \
killall Dock

• Show Hidden Apps/Icons

defaults write com.apple.dock showhidden -bool true && \
killall Dock

• Disable Sudden Motion Sensor sudo pmset -a sms 0
• Show AFP, SMB, NFS, WebDAV etc

defaults write com.apple.finder ShowMountedServersOnDesktop -bool true && \
killall Finder

• Show All File Extensions defaults write -g AppleShowAllExtensions -bool true
• Show hidden files defaults write com.apple.finder AppleShowAllFiles true
• Show ~/Library folder chflags nohidden ~/Library
• Save to Disk by Default(not iCloud) defaults write -g NSDocumentSaveNewDocumentsToCloud -bool false
• Disable creation of .DS_Store and AppleDouble files defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true
• Recursively delete .DS_Store Files find . -type f -name '.DS_Store' -ls -delete
• Clear Font Cache for All users

sudo atsutil databases -removeUser && \
sudo atsutil server -shutdown && \
sudo atsutil server -ping

• Disable IR Receiver sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -int 0
• Disable sound effects on boot sudo nvram SystemAudioVolume=" "
• Disable autoplay in quicktime defaults write com.apple.QuickTimePlayerX MGPlayMovieOnOpen0
• Disable bonjour service sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ProgramArguments -array-add "-NoMulticastAdvertisements"
• Enable screensaver password defaults write com.apple.screensaver askForPassword -int 1
• Install Homebrew /bin/bash -c "$(curl -fsSL [https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh](https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh))"
• Install pyenv github.com/pyenv/pyenv
• Install nvm github.com/nvm-sh/nvm#installing-and-updating

No VSCode, right? I decided to use GitHub codespaces instead of coding in my Mac. I’ll most-likely write another article to talk about my GitHub codespaces set-up. Cheers!