i install Tinker Tool System from github and for some reason mac ask for my password with message "wrong password"
Last edited by a moderator:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Tinker Tool Malware Problem
- Thread starter Pskordilis
- Start date
- Sort by reaction score
TinkerTool is not on GitHub. This is the official page https://www.bresink.com/products.html
Most likely, you have installed info stealer malware.
Scan your Mac with
Intego VirusBarrier Scanner https://apps.apple.com/app/id1200445649
Bitdefender Virus Scanner https://apps.apple.com/app/id500154009
what the. This is what i install.
edit: the problem is i dont know where is the install location
Last edited:
If you run the suggested command in Terminal, check in /tmp/ for a file named update.
To list the content of /tmp/ in Terminal
Code:
ls -a /tmp/At the moment i just finish restore my mac through timemachine so i can't check. Thanks for your help friend.
And don't forget to change your password! (+ any others you may have attempted, for whatever reason)
Hopefully you have good password hygiene and haven't used the same password elsewhere!? If you have, ensure you also change the password(s) on every website, app etc, where you also use it. The same goes for any additional passwords you may have tried to use in that dodgy app.
I didn't even find that app to open it 🤣. all my passwords are random gen plus 2fa
Just as note, the above discussed nightmare with installing Github virus masquerading as application TinkerTool is the reason why so many people are so happy to be protected by AppleStore and requirements to sign the applications. It is getting more and more difficult to protect ourselves by simply being careful and reasonable.
I checked the Github page, when it was still linked here, and it is weird page with no credentials to author or anything else which would trace to author and app pedigree. It has no commit history or anything else making it reasonable GH repo. But, it looks good enough to pass as source if trusted software to, potentially, many.
I checked the Github page, when it was still linked here, and it is weird page with no credentials to author or anything else which would trace to author and app pedigree. It has no commit history or anything else making it reasonable GH repo. But, it looks good enough to pass as source if trusted software to, potentially, many.
For the external disk, try to re-index it in Terminal :
If it doesn’t work, try first to delete actual index :
Note: sudo requires session password.
Code:
sudo mdutil -i on /Volumes/"My external Volume"If it doesn’t work, try first to delete actual index :
Code:
sudo mdutil -X /Volumes/"My external Volume"Note: sudo requires session password.
I didn’t have time to install this one in a virtual machine, but similar ones delete themselves after a successful run.
One has been taken down, I reported others as well, but there are too many. If you search the string after echo using Bing, you can find similar pages on GitHub for IINA, Audacity, uBlock and even CrowdStrike.
Many hours after restore my timemachine backup i get a weird message like that, you think is relevant to the junk i install? Resume data sync asks for my mac pass btw and not icloud pass.
I installed the malware in a virtual machine and it generates these files:
/tmp/.pass
/tmp/starter
/tmp/update
~/.agent
~/.helper
~/.id
~/.pass
~/.username
Check if you still have any of them. The ones with a dot in front of the name are hidden.
"How to Show Hidden Files on a Mac" https://www.macrumors.com/how-to/show-hidden-files-on-a-mac/
~/ indicates the home folder, /Users/YourUserName/
"Go directly to a specific folder on Mac"
https://support.apple.com/guide/mac-help/mchlp1236/
/tmp/.pass
/tmp/starter
/tmp/update
~/.agent
~/.helper
~/.id
~/.pass
~/.username
Check if you still have any of them. The ones with a dot in front of the name are hidden.
"How to Show Hidden Files on a Mac" https://www.macrumors.com/how-to/show-hidden-files-on-a-mac/
~/ indicates the home folder, /Users/YourUserName/
"Go directly to a specific folder on Mac"
https://support.apple.com/guide/mac-help/mchlp1236/
Quick way to toggle hidden files on/off: ⌘⇧. (that's a period at the end)
That’s exactly what the MacRumors article describes, with words and images. As far as I know, clicking on macrumors.com links is safe
I know. But that's the one key bit of information from that article, and makes sense to have right in the thread itself.That’s exactly what the MacRumors article describes, with words and images. As far as I know, clicking on macrumors.com links is safe
I've relied on so many MacRumors threads when troubleshooting in the past, and I always appreciate it when people document things within the discussion (like you've done with all those malware file locations above).
Last edited:
There are legitimate apps, notarized by Apple, hosted on GitHub.
To enumerate just a few
IINA https://github.com/iina/iina
Stats https://github.com/exelban/stats
LuLu https://github.com/objective-see/LuLu
KnockKnock https://github.com/objective-see/KnockKnock
When downloading any app, it’s a good idea to check it on VirusTotal.
Example for the latest IINA 1.3.5 dmg, in the details there is a Signature info section
https://www.virustotal.com/gui/file...d0c9daccc1d59176832ea650f533fcbdc6a38/details
This is how the page of the malware looked like. Following repeated reports to GitHub, the pages have been removed. As the link from the script is still active, I’ve obscured it.
I have a video of the malware in action, but I have to edit it in a similar way first.