Attackers Exploit macOS Weaknesses, CI/CD Flaws, and Ransomware in Latest Wave of Cyber Incidents

Cybersecurity researchers disclosed a series of vulnerabilities and attacks this week, including a macOS technique that allows non-admin users to silently disable endpoint detection and response tools, a new class of CI/CD weakness affecting major tech companies, a ransomware incident at Indian auto manufacturer Bajaj Auto, and a breach at Japanese telecom KDDI that exposed millions of email credentials.

The macOS attack, detailed by XM Cyber and reported by SecurityWeek, uses legitimate OS behavior rather than software flaws to unload endpoint security agents. A standard non-admin account can exploit the code-signing trust cache to inject a malicious payload that impersonates a trusted app component, then invoke privileged XPC methods. The technique was successfully demonstrated against CrowdStrike Falcon Sensor and Kandji MDM.

MacOS Attack Targets EDR and MDM Agents

XM Cyber researcher Hillel Pinto showed that the attack chain can permanently disable endpoint security without triggering alerts. CrowdStrike paid a bug bounty and added detection for the technique. Kandji patched the issue and assigned CVE-2026-39118. A third unnamed enterprise EDR vendor is still working on a patch. Pinto plans to release an open-source discovery tool called XPC Hunter at Black Hat US in August 2026. Apple has not yet commented.

• CrowdStrike Falcon Sensor fully unloaded from a standard user account.
• Kandji MDM permanently deactivated via two-stage chain that cleared EDR guards.
• Attack exploits the kernel's code-signing trust cache persistence after a signed app executes.
• XPC Hunter will automate identification of exploitable XPC privilege escalation surfaces across macOS applications.

CI/CD Weaknesses and Ransomware Strike

Separately, researchers at Novee Security flagged a critical CI/CD workflow pattern named Cordyceps that affects over 300 GitHub repositories at organizations including Microsoft, Google, and Apache. The weakness allows attackers to hijack workflows and compromise open-source supply chains. In the same week, Indian auto giant Bajaj Auto reported a ransomware incident on Tuesday, taking precautionary measures to contain its impact. Japanese telecom KDDI disclosed a breach affecting six internet service providers that exposed 14.2 million email credentials; customers were advised to change passwords immediately. Critical vulnerabilities in Ubiquiti devices are also being actively targeted by attackers, allowing remote command injection and system changes.

The convergence of these incidents underscores persistent gaps in endpoint defense, supply chain security, and third-party risk management. As researchers release tools to find similar macOS weaknesses, enterprises should expect increased scrutiny of XPC interfaces and code-signing trust mechanisms. For CI/CD pipelines, the Cordyceps pattern adds to a growing catalog of exploitable workflow flaws that require immediate remediation.