[srazzaque]

Whilst slightly off-topic, curious if they published, or if anyone knows, what OS the compromised employee machine was running?

[aeyes]

Files and path names listed in the "Malicious files" section in the blog post https://circleci.com/blog/jan-4-2023-incident-report/ lead me to believe that it is MacOS.

[portoal]

Looks like MacOS

Malicious files to search for and remove:

/private/tmp/.svx856.log /private/tmp/.ptslog PTX-Player.dmg (SHA256: 8913e38592228adc067d82f66c150d87004ec946e579d4a00c53b61444ff35bf) PTX.app

[hjuutilainen]

It would be so interesting to get more details about the initial compromise. What was the engineer trying to do that ended up with downloading PTX-Player.dmg and (probably) the PTX.app installed in /Applications? Was it targeted directly at CircleCI or is this some generic info stealer? What AV / endpoint security solution were they using? Did it pass the built-in macOS protections (gatekeeper, xprotect, etc)? Public VirusTotal seems to know nothing about that hash.