Minirat’s Stealth Supply Chain Attack Targets macOS Developers

Security researchers at Iru have detailed a sophisticated new threat targeting macOS users through the software supply chain. The malware, dubbed Minirat, is a Remote Access Trojan (RAT) written in the Go programming language—a choice that makes it particularly difficult for traditional security tools to analyze.

Initially discovered by SafeDep, the malware spreads via a malicious npm package named velora-dex-sdk, specifically targeting developer endpoints. Analysis of the build metadata suggests the attack was “premeditated tooling development,” as the code was committed weeks before the package was actually compromised.

By using Go, the attackers gain an immediate advantage in evading static analysis. Go binaries are “statically linked by default,” meaning the entire runtime and all libraries are bundled into one massive file. This results in:

• Inflated Binary Footprint: Significantly larger file sizes compared to standard C++ programs.
• Symbol Obfuscation: The boundaries between malicious code and legitimate libraries are blurred.
• Naming Chaos: Without specialized recovery tools, researchers are left staring at “thousands of unnamed sub_XXXXXX routines”.

To bypass these hurdles, Iru researchers utilized a tool called GoResolver to reconstruct the original function names, allowing them to map out the malware’s internal logic.

Minirat doesn’t just hide its code; it actively checks if it’s being watched. The very first action it performs is a call to IsVirtualMachine. If the malware detects it is running in a sandbox or virtual environment—often used by security analysts—it terminates immediately. It does this by checking system strings for keywords like “Virtual Machine,” “Oracle,” or “VMware”.

Once it confirms it’s on a real victim’s machine, it ensures it’s the only instance running using a file-based lock at $TMPDIR/updater.lock. For long-term access, it establishes persistence by:

• Modifying .zshrc: Appending commands to the user’s shell profile.
• Creating a LaunchAgent: Dropping a plist file that triggers the malware every time the user logs in.

The malware relies on a highly organized C2 structure. It uses AES-encrypted configuration files to store its server list, protecting them with a 32-byte key: v59l2uwlow9s1ebuscgfg9k9r4voxkbs.

Once a connection is established, Minirat performs a “victim enrollment” by uploading a detailed dossier (info.json) that includes the victim’s username, hostname, macOS version, and even their public IP and geographic location.

Through two JSON-based channels (action.json and info.json), the attacker can issue several powerful commands:

• Upload: Exfiltrate entire directories from the victim.
• Command: Execute arbitrary shell commands, essentially giving the attacker an “interactive shell-like capability”.
• Download: Retrieve and execute secondary payloads or tools.

Iru’s analysis demonstrates, “static indicators alone are insufficient” to catch such threats. Defending against these attacks requires deep visibility into process behavior and proactive monitoring for compromised packages before they ever reach a developer’s machine.