Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.

Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.

Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.

In March 2025, our team found a suspicious mach-O file named wsus. Read the full analysis on its likely origins, target users, and observed functionality.

Kandji's Threat Research team performed an audit on the macOS diskarbitrationd & storagekitd system daemons, uncovering several (now fixed) vulnerabilities

A new piece of malware that we're calling TodoSwift downloads its malicious payload alongside a seemingly legitimate piece of content about cryptocurrency.

Kandji's threat research team has discovered a piece of malware that combines aspects of an infostealer and spyware. Here's how it works.

Kandji threat analysis reveals how the AMOS macOS stealer constantly changes its hash signatures while maintaining its functionality.