StarGear

Product

StarGear Scanner

v0.11.4 · build 134 · macOS 13.0+ · Apple Silicon (arm64) · ad hoc signed

A macOS menu bar threat scanner with Bitcoin specific audits. Sits next to a hardware wallet workflow, not instead of it. Built for the Mac user who self custodies and still uses the same machine to browse the web.

Download DMG Install instructions Verify the SHA 256 before opening.

Coverage

What it checks

Each scan returns one of three states per audit: CLEAN, FINDING, or BLIND. BLIND means the check could not run, usually because a permission was withheld. The trust score reflects what was checked, not what could not be checked.

macOS hygiene baseline

  • Firewall state
  • FileVault state
  • System Integrity Protection (SIP)
  • Gatekeeper policy
  • XProtect bundle version
  • Password policy

Persistence inventory

  • LaunchAgents
  • LaunchDaemons
  • Login items
  • Cron jobs
  • Browser extensions

TCC permissions inventory

  • User TCC database
  • System TCC database (requires Full Disk Access)

Bitcoin specific

  • Wallet file presence and encryption sniffing for Electrum, Sparrow, Specter, Wasabi, Bitcoin Core
  • Wallet binary code signature drift pinning
  • Hardware wallet USB enumeration with vendor and product pinning across Ledger, Trezor, Coldcard, BitBox02, Foundation Passport, Jade
  • Browser cookie file foreign handle detection across Chrome, Brave, Edge, Firefox, Safari, Arc, Vivaldi

Live watchers (opt in)

  • Clipboard watcher: catches BTC address swaps and BIP39 seed exposure
  • PSBT in flight watcher: catches clipboard PSBT differing from open PSBT file
  • YARA watcher: scans newly written files in ~/Downloads, ~/Library/LaunchAgents, /tmp

Threat intel ingestion

  • CISA KEV
  • abuse.ch ThreatFox
  • MalwareBazaar
  • URLhaus
  • SlowMist phishing domains

Limits

What it does not do

Read this section before you trust the green check. These are the gaps.

It is not an antivirus. There is no real time on access scanner across the whole filesystem.

It does not run as a kernel extension or system extension. It does not use the Endpoint Security API.

It cannot detect a one shot infostealer that runs, exfiltrates, and exits between scans, unless the malware touches one of the monitored paths during a live watcher window.

It cannot read the system TCC database without Full Disk Access. If you do not grant it, several audits return BLIND.

It is not notarized by Apple. You are trusting an ad hoc signed binary. Verify the SHA 256 below before installing.

Permissions

Permissions and what they unlock

Both permissions are optional. The app runs without them, but several audits will return BLIND.

Permission Unlocks
Full Disk Access Read of the system TCC database, wallet directory audit, screen capture cross check.
Accessibility EventTap enumeration, which is the keylogger check.

Install

Install

The binary is ad hoc signed, so on first launch Gatekeeper will block it. The shell snippet below downloads the DMG, prints the expected hash next to the computed one, copies the app into /Applications, strips the quarantine attribute, and opens it.

Expected SHA 256 c5a488b1bfbaeb4656d8bb6c16a3ff942534e1e3b018de4ef36a3e2fb9e093cd 
pkill -x "StarGear Scanner" 2>/dev/null; sleep 1; hdiutil detach "/Volumes/StarGear Scanner" 2>/dev/null; rm -rf "/Applications/StarGear Scanner.app" ~/Downloads/StarGear_Scanner.dmg && curl -L -o ~/Downloads/StarGear_Scanner.dmg https://stargear.xyz/scanner/StarGear_Scanner.dmg && echo "Expected: c5a488b1bfbaeb4656d8bb6c16a3ff942534e1e3b018de4ef36a3e2fb9e093cd" && shasum -a 256 ~/Downloads/StarGear_Scanner.dmg && hdiutil attach ~/Downloads/StarGear_Scanner.dmg && cp -R "/Volumes/StarGear Scanner/StarGear Scanner.app" /Applications/ && hdiutil detach "/Volumes/StarGear Scanner" && xattr -dr com.apple.quarantine "/Applications/StarGear Scanner.app" && open "/Applications/StarGear Scanner.app"

If you prefer the GUI: download the DMG, run shasum -a 256 against it and compare to the value above, drag the app into /Applications, then run xattr -dr com.apple.quarantine "/Applications/StarGear Scanner.app" in Terminal before opening.

Requirements

System requirements

macOS
13.0 or later
Architecture
Apple Silicon (arm64) only. No Intel build.
Signing
Ad hoc. Not notarized by Apple.
Disk
Under 50 MB installed
Network
Outbound only, for threat intel feed pulls and update checks

Source and updates

Source and updates

The app auto checks for updates in the background and surfaces a menu bar prompt when a new build is available. You can also re-run the install snippet above to force a clean reinstall.

Source code at github.com/StarGearx/StarGear-Scanner.