A local, transparent macOS menu bar threat scanner for people who self custody Bitcoin on their Mac.
StarGear Scanner is a single binary macOS app that lives in your menu bar. You run it. It scans for a class of risks that generic antivirus tools do not look for: clipboard hijackers that swap Bitcoin addresses, malicious browser wallet extensions, drainer style scripts, suspicious persistence around wallet processes, screen capture aimed at wallet UI, exfiltration of PSBTs and seed backups, and similar Bitcoin specific patterns.
Findings are explained in plain language. Every finding points at a public source so you can verify what the tool is claiming.
- People holding meaningful amounts of Bitcoin on a Mac.
- Self custody users who pair a Mac with a hardware wallet.
- Anyone running a Bitcoin node or wallet software locally and worried about supply chain or targeted attacks.
If you do not touch Bitcoin on this machine, StarGear Scanner is not the right tool for you. Use a general purpose endpoint security tool.
Being explicit so there are no surprises:
- It is not antivirus. It does not replace XProtect, MRT, or any third party AV.
- It is not a kernel extension. It does not load a system extension or network extension.
- It is not always on. By default, scans are user triggered from the menu bar.
- It does not auto remediate. It tells you what it found. You decide what to do.
- It does not send telemetry. It does not phone home about your machine, your scans, or your findings.
- It does not store, touch, or back up your wallet seed. It never asks for it. If anything ever asks you for a seed phrase, it is not StarGear Scanner.
- It is not notarized by Apple. It is ad hoc signed. Gatekeeper will warn on first launch (see Install).
- It does not auto update. New releases must be downloaded manually.
- It is not a substitute for a hardware wallet. It reduces risk on a hot machine. It does not eliminate it.
One line install from the official site:
curl -fsSL https://stargear.xyz/install.sh | bash
This downloads the latest signed DMG, verifies its checksum, and copies the app into /Applications. Read the script before piping it into bash if you prefer. Source is in Tools/.
Alternatively, download the DMG manually from the GitHub releases page or stargear.xyz.
First launch: macOS Gatekeeper will warn because the build is ad hoc signed and not notarized. Right click the app in Finder, choose Open, then confirm. After that, normal double click works.
Requirements:
- macOS 13 or later, Apple Silicon recommended
- Xcode 15 or later
- xcodegen (
brew install xcodegen)
Steps:
git clone https://github.com/StarGearx/StarGear-Scanner
cd StarGear-Scanner
xcodegen generate
xcodebuild \
-project StarGear_Scanner.xcodeproj \
-scheme "StarGear Scanner" \
-configuration Release \
-derivedDataPath build \
build
The built .app bundle lands in build/Build/Products/Release/.
Run tests:
xcodebuild \
-project StarGear_Scanner.xcodeproj \
-scheme "StarGear Scanner" \
-derivedDataPath build \
test
StarGear Scanner is sandboxed where it can be and asks for the minimum permissions it needs. macOS will prompt for these the first time a given scan needs them:
- Full Disk Access (FDA). Required for the audits that look at LaunchAgents, LaunchDaemons, persistence paths under other users, and protected system directories. Without FDA, those audits return a BLIND state instead of pretending to pass. BLIND means the audit could not run, not that the system is clean.
- Accessibility. Required by the optional live clipboard hijacker watcher so it can observe address replacement attempts. Off by default. If you do not turn live watchers on, you do not need this.
- Network. Outbound only, to fetch public threat intel and the optional update check. See Network calls below.
If you deny a permission, the affected audit reports BLIND. The rest of the scan still runs.
StarGear Scanner targets the threat of a Mac that is otherwise trusted by its owner but has been compromised by a Bitcoin specific attacker: a clipboard hijacker, a malicious browser extension, a tampered wallet binary, a phishing installer with persistence, a drainer script, a PSBT exfiltrator, or a screen capture watcher tuned to wallet UI. It assumes the kernel and the macOS security primitives are not themselves compromised. It assumes the user can still make a decision when handed information. It does not defend against a state level adversary with kernel implants. It does not defend against a user voluntarily entering a seed phrase into a phishing site.
The scanner ships a focused set of audits. They are grouped roughly by what they look at:
- Bitcoin specific: clipboard address swap detection, hardware wallet USB hygiene, PSBT exfiltration paths, seed backup leak surfaces, EVM and Solana drainer signatures that often coexist with Bitcoin theft kits.
- Browser surface: known malicious wallet extensions, suspicious extension behavior, cookie beacon to known drainer infrastructure.
- macOS hygiene: persistence (LaunchAgents, LaunchDaemons, login items, cron, profile installs), Homebrew formula integrity, keychain delta, keyring tamper, configuration profiles, AppleScript invokers, event taps, screen capture watching, camera and mic abuse adjacent to wallet apps.
- Network and exfil: DNS hygiene, DoH and Tor egress flags, suspicious outbound to indicator feeds.
- Integrity: file integrity baseline for wallet binaries, codesign cache, detection capability self check.
Full list lives in Sources/Engine/.
A handful of audits can run as live background watchers instead of one shot scans:
- Clipboard hijacker watcher
- PSBT in flight watcher
- Persistence watcher
- Live YARA watcher
- File integrity monitor
These are off by default. They are visible toggles in the menu bar panel. Turning them on increases CPU and battery use and may require Accessibility permission.
StarGear Scanner makes a small, fixed set of outbound network calls. There is no analytics SDK and no per user identifier.
- Public threat intel feeds: pulled to refresh local indicator lists. Domains used are listed in
Sources/Engine/BitcoinThreatIntelFeeds.swiftandSources/Engine/IOCIngestion.swift. You can read them. - MalwareBazaar lookups: optional, queried on demand for suspicious hashes (
MalwareBazaarClient.swift). - Update check: optional, queried at most once per app launch against the official release feed (
UpdateChecker.swift). Uses an ephemeral URL session.
There is no upload of your findings, your file list, or any machine identifier.
-
Pure Swift, SwiftUI front end.
-
MenuBarExtra based,
LSUIElement = true, no Dock icon by default. -
Built with xcodegen so the project file is regenerable.
project.ymlis the source of truth. -
Ad hoc signed for distribution at this stage. See SECURITY.md for the rationale.
-
No third party Swift package dependencies in the main target.
-
Layout:
Sources/ App/ Entry point, app coordinator, Info.plist Engine/ Audits, scanners, models, watchers UI/ MenuBarExtra panel and views Tests/ XCTest targets Tools/ Build and packaging scripts Docs/ Public docs Resources/ Assets, plists, threat intel seed data
See CONTRIBUTING.md.
See SECURITY.md for how to report vulnerabilities.
MIT. See LICENSE.
Thanks to the open Bitcoin security community, MalwareBazaar, the broader macOS reverse engineering community whose published indicators make a tool like this possible, and to early testers who put up with the v0.x releases.