Problem
CrowdStrike Falcon (macOS endpoint security) is blocking agents sessions execution on at least one user machine. The silent block also surfaces inside editor extensions that read sessions in-process and shell out to the agents binary for related calls. Anyone on an EDR-enabled Mac effectively loses the sessions feature.
Root cause
The combination of behaviors below makes the agents CLI look like ransomware/recon malware to Falcon's behavioral IOA engine:
A. The binary is unsigned.
$ codesign -dv $(which agents)
~/.local/bin/agents: code object is not signed at all
It's a Node.js shebang script in a user-writable path. When spawned by an Electron child (Code Helper (Renderer) / Code Helper (Plugin)) it matches the post-exploitation profile Falcon flags by default.
B. Whole-system process enumeration on --active.
src/commands/sessions/active.ts:383 runs ps -A -o pid=,ppid=,comm= — listing every process is a high-fidelity ransomware-recon TTP.
C. Parallel per-PID lsof probes.
src/commands/sessions/active.ts:425 calls execFileAsync('lsof', ['-a', '-p', pid, '-d', 'cwd', '-Fn']) under Promise.all() for every unattributed agent PID — lateral-movement / credential-staging heuristic.
D. Rapid bulk reads across multiple dotfile dirs.
src/lib/session/discover.ts:147-163 scans ~/.claude/, ~/.codex/, ~/.gemini/ simultaneously under Promise.all() — ransomware file-enumeration heuristic.
E. Base64-decoded credential at runtime.
src/lib/session/discover.ts:577 parses ~/.codex/auth.json's JWT payload — credential-harvesting IOA.
The dominant trigger is A (unsigned + Electron-child parent). Fixing A alone likely clears the block for most users; C/D/E are hardening.
Mitigations (priority order)
- Sign + notarize the released binary (Developer ID +
notarytool) — primary fix.
- Gate the
lsof / ps fan-out behind a flag or sequentialize it.
- Avoid simultaneous bulk dotfile scans; stagger or read lazily.
- Defer the
auth.json JWT decode until the value is actually needed.
Problem
CrowdStrike Falcon (macOS endpoint security) is blocking
agents sessionsexecution on at least one user machine. The silent block also surfaces inside editor extensions that read sessions in-process and shell out to theagentsbinary for related calls. Anyone on an EDR-enabled Mac effectively loses the sessions feature.Root cause
The combination of behaviors below makes the
agentsCLI look like ransomware/recon malware to Falcon's behavioral IOA engine:A. The binary is unsigned.
It's a Node.js shebang script in a user-writable path. When spawned by an Electron child (
Code Helper (Renderer)/Code Helper (Plugin)) it matches the post-exploitation profile Falcon flags by default.B. Whole-system process enumeration on
--active.src/commands/sessions/active.ts:383runsps -A -o pid=,ppid=,comm=— listing every process is a high-fidelity ransomware-recon TTP.C. Parallel per-PID
lsofprobes.src/commands/sessions/active.ts:425callsexecFileAsync('lsof', ['-a', '-p', pid, '-d', 'cwd', '-Fn'])underPromise.all()for every unattributed agent PID — lateral-movement / credential-staging heuristic.D. Rapid bulk reads across multiple dotfile dirs.
src/lib/session/discover.ts:147-163scans~/.claude/,~/.codex/,~/.gemini/simultaneously underPromise.all()— ransomware file-enumeration heuristic.E. Base64-decoded credential at runtime.
src/lib/session/discover.ts:577parses~/.codex/auth.json's JWT payload — credential-harvesting IOA.The dominant trigger is A (unsigned + Electron-child parent). Fixing A alone likely clears the block for most users; C/D/E are hardening.
Mitigations (priority order)
notarytool) — primary fix.lsof/psfan-out behind a flag or sequentialize it.auth.jsonJWT decode until the value is actually needed.