North Pole Security
@northpolesec.bsky.social
📤 28
📥 3
📝 81
North Pole Security account. We make Santa
https://github.com/northpolesec/santa
In the next version of Santa, when paired with Workshop you'll be able to specify process tree relationships in a CEL rule. This lets you mark executables as not usable by processes or require TouchID from the user e.g. here's an example of us preventing Claude Code from running curl w/o TouchID.
loading . . .
about 1 month ago
0
0
0
Day 24 of our FAAdvent Calendar: Code injection is a major threat to binary allowlisting, especially when Electron/Chromium offer easy scripting/debugging
northpole.security/blog/2025-ad...
Workshop and Santa's CEL rules can prevent attackers from using debugging options to inject malicious code.
3 months ago
0
0
1
Day 23 of our FAAdvent Calendar: Learn how to use Workshop's Risk Engine with entitlements to flag unauthorized VPN and remote access software, preventing data exfiltration and enforcing compliance.
northpole.security/blog/2025-ad...
3 months ago
0
0
1
Day 22 of our FAAdvent Calendar: macOS audio plugins are an old often overlooked persistence trick.
northpole.security/blog/2025-ad...
Malicious .component or .driver bundles dropped in well-known directories can execute code, sometimes as root. Lock them down!
3 months ago
0
1
1
Day 21 of our FAAdvent Calendar: macOS's built-in security command can be used for nasty actions like dumping Keychain contents or adding rogue certificates. Stop these attacks using Workshop and Santa CEL rules:
northpole.security/blog/2025-ad...
3 months ago
0
0
0
Day 20 of our FAAdvent Calendar: Living off the land (LoTL) is a common attack technique. Learn how to use CEL rules to block potentially malicious subactions of legitimate tools like systemsetup, instead of blocking the tool entirely.
northpole.security/blog/2025-ad...
3 months ago
0
0
0
Day 19 of our FAAdvent Calendar: SSH private keys are master keys for your systems. 🔑
northpole.security/blog/2025-ad...
Infostealers like Atomic, Banshee, and Cthulhu target your ~/.ssh/ folder! Learn how to lock them down with Workshop and Santa’s file access Rules.
3 months ago
0
0
0
📢 We’ve just released version 2025.1010 of Workshop This release adds: 🎄 on-demand monitor mode 🎄 optional automatic updates 🎄 event export to S3/GCS 🎄 near-realtime directory syncing 🎄 local user/group management 🎄 added cwd & euid fields to CEL rules 🎄 live online status on the host details page
3 months ago
0
0
0
Day 18 of our FAAdvent Calendar: Don't let "Sploitlight" (CVE-2025-31199) leak your sensitive macOS data!
northpole.security/blog/2025-ad...
Attacks bypass TCC to exfiltrate files like Apple Intelligence databases. See how to prevent this persistence trick and data theft with Workshop and Santa:
3 months ago
0
0
0
Day 17 of our FAAdvent Calendar: Enhance your password manager security! 🛡️🔐
northpole.security/blog/2025-ad...
Beyond the account password, using file access rules can prevent other apps from reading your database, protecting you even if encryption is compromised.
3 months ago
0
0
0
Day 16 of our FAAdvent: Attackers are using Docker on macOS to hide from security tools! They run containers in a Linux VM, bypassing Endpoint Security Framework & can still steal credentials by mounting host volumes. See how Santa and Workshop can prevent this:
northpole.security/blog/2025-ad...
3 months ago
0
0
0
Day 15 of our FAAdvent Calendar: Apple changed macOS's dynamic loader to write temp files to disk, but stealthy attackers adapt. Learn how to use Workshop & Santa’s file access rules to block this basic technique:
northpole.security/blog/2025-ad...
3 months ago
0
0
0
Day 14 of our FAAdvent Calendar: Learn how attackers can bypass macOS Gatekeeper by stripping the quarantine attribute with xattr, and see how to block this technique using Workshop and Santa's CEL rules.
northpole.security/blog/2025-ad...
3 months ago
0
0
0
Day 13 of our FAAdvent Calendar: Workshop and Santa's file access rules can lock down cron and at job persistence before attackers even get a chance to set their alarms.
northpole.security/blog/2025-ad...
3 months ago
0
0
0
Day 12 of our FAAdvent Calendar: Launch Agents and Daemons are a convenient way for programs to run in the background, but they’re also a great way for malware to gain persistence on a device.
northpole.security/blog/2025-ad...
3 months ago
0
0
1
Day 11 of our FAAdvent Calendar: Prevent persistence by securing /etc/pam.d with a Santa file access rule. Block write attempts even from root!
northpole.security/blog/2025-ad...
3 months ago
0
0
1
Day 10 of our FAAdvent Calendar: A one-liner command is all you need to see if a password is legit, but Santa's CEL rules can stop this common post exploitation behavior.
northpole.security/blog/2025-ad...
3 months ago
0
0
1
Day 8 of our FAAdvent Calendar: Hide your macOS password hashes! A one-liner command can expose the hash and salt, but Workshop & Santa's file access rules & CEL rules can protect these crown jewel files.
northpole.security/blog/2025-ad...
4 months ago
0
0
1
Day 7 of our FAAdvent Calendar : Prevent macOS Gatekeeper from being disabled on your fleet by creating a Santa CEL rule!
northpole.security/blog/2025-ad...
4 months ago
0
1
1
Day 6 of our FAAdvent Calendar: Protect your browser cookies from infostealers with Santa's File Access Rules—limit access so only the browser can read its own cookies!
northpole.security/blog/2025-ad...
4 months ago
0
0
1
We've started our FAAdvent Calendar a collection of short things you can do with Workshop and Santa to improve improve your security while staying productive.
northpole.security/blog/2025-ad...
loading . . .
North Pole Security Advent Calendar: 25 Days of macOS Protection
Discover 25 production-ready Santa rules inspired by actual macOS malware. Each day reveals a new CEL or FAA configuration to protect against threats like Atomic Stealer and threat campaigns targeting...
https://northpole.security/blog/2025-advent-calendar
4 months ago
0
1
0
'Tis the season for new features. 🎁 Introducing On-Demand Monitor Mode in Workshop & Santa—monitor mode access only when you need it, only when you prove you're at the keyboard. Check out the Loom ⬇️
www.loom.com/share/0c09ed...
loading . . .
Introducing On-Demand Monitor Mode in Santa and Workshop 🚀🎅
In this video, I introduced a new feature called on-demand monitor mode that will be available in the next versions of Santa and Workshop. This feature allows users to temporarily switch from lockdown...
https://www.loom.com/share/0c09ede1ff38480298b03cea5af10959
4 months ago
0
0
1
Join us in celebrating North Pole Security's first anniversary! 🎉 Reflect on a year of innovation, growth, & unwavering commitment to livable security with Santa and Workshop. Read about our journey and what's next!
#FirstAnniversary
#Santa
#Workshop
northpole.security/blog/one-yea...
5 months ago
0
0
1
Yesterday we released Santa v2025.8 on GitHub.
github.com/northpolesec...
This release includes a handful of new features. Some highlights include: - Support for CEL string extensions to enable writing more powerful policies. This lets you do things like args.join(" ").contains("-flag option")
loading . . .
Release v2025.8 · northpolesec/santa
Notes Announcements 🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It...
https://github.com/northpolesec/santa/releases/tag/2025.8
7 months ago
1
0
0
Incredibly humbled by the amazing feedback from our community! Thank you for growing with us - here's to continuing to build something great together! 🚀
7 months ago
0
0
0
Keeping with our Christmas in July🎄, we just released Santa 2025.7 on GitHub
github.com/northpolesec...
This release includes: - A new icon that matches the company's branding - Ready for Tahoe! - Bug fixes and more
loading . . .
Release v2025.7 · northpolesec/santa
Notes Announcements 🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It...
https://github.com/northpolesec/santa/releases/tag/2025.7
8 months ago
0
0
1
🎉 It's Christmas in July! We raised $4M to make proactive macOS security scalable for everyone. Workshop is the first commercial platform built for Santa. Finally making allowlisting usable at scale. Thanks to A16Z & everyone's who's believed in our mission.
8 months ago
1
5
2
📢 Earlier this month we released Santa 2025.6
github.com/northpolesec...
🧵 This is a large release with several features
loading . . .
Release v2025.6 · northpolesec/santa
Notes ImportantThe binaries initially uploaded for this release only contained the arm64 slice. We have updated the binaries to be universal and also include the x86_64 slice as well. You may need ...
https://github.com/northpolesec/santa/releases/tag/2025.6
9 months ago
1
0
1
📢 We've just released Santa v2025.5 on GitHub
github.com/northpolesec...
This release includes a handful of new features and changes: Some highlights Below 🧵:
loading . . .
Release v2025.5 · northpolesec/santa
Notes If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade. Santa documentation has undergone a complete overhaul and can be found at northpole.dev. A...
https://github.com/northpolesec/santa/releases/tag/2025.5
10 months ago
1
0
1
Very exciting to see Santa called out as a tool that works in the
@specterops.io
SO-Con talk on Modern macOS Red Teaming Tactics by Lance Cain and
@werdhaihai.bsky.social
www.youtube.com/watch?v=t_L2...
loading . . .
Modern macOS Red Teaming Tactics | SO-CON 2025
YouTube video by SpecterOps
https://www.youtube.com/watch?v=t_L2bdbXkp0
11 months ago
0
2
1
📢 Last week we released Santa v2025.4
github.com/northpolesec...
Along with some big changes 🧵
loading . . .
Release v2025.4 · northpolesec/santa
Notes If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade. Santa documentation can be found at northpole.dev. Announcements 📣 Opt-In Stats Collection...
https://github.com/northpolesec/santa/releases/tag/2025.4
11 months ago
1
0
1
Today we released Santa v2025.3 on GitHub
github.com/northpolesec...
. This release includes a handful of new features.
loading . . .
Release v2025.3 · northpolesec/santa
Notes If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade. Santa documentation can be found at northpole.dev. Announcements 📣 Opt-In Stats Collection...
https://github.com/northpolesec/santa/releases/tag/2025.3
12 months ago
1
1
1
We agree with CISA and think you should use Santa too
www.cisa.gov/sites/defaul...
about 1 year ago
0
0
1
📣 We’ve just released Santa v2025.2 on GitHub.
github.com/northpolesec...
Some highlights include: - Process-centric File Access Authorization rules are now in Beta! This means FAA rules can now target all access from a given process without knowing the files that will be accessed ahead of time.
loading . . .
Release v2025.2 · northpolesec/santa
Notes If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade. Santa documentation can be found at northpole.dev. Announcements 📣 Opt-In Stats Collection...
https://github.com/northpolesec/santa/releases/tag/2025.2
about 1 year ago
1
1
1
Last night we released Santa 2025.1
github.com/northpolesec...
Notable features include: Entitlements in the Sync Protocol This allows you to avoid authorizing or see which applications are disabling code signing on libraries.
loading . . .
Release v2025.1 · northpolesec/santa
Notes If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade. Santa documentation can be found at northpole.dev. Fixed ❗ Fixed an issue where santactl c...
https://github.com/northpolesec/santa/releases/tag/2025.1
about 1 year ago
1
1
1
We've released v2024.12 of Santa.
github.com/northpolesec...
This addresses an upgrade issue when running in lockdown mode and also a minor issue where a root user is able to inject rules when it is configured to use a sync service is configured.
loading . . .
Release v2024.12 · northpolesec/santa
Notes If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade. This release fixes an issue that could affect users that upgraded to v2024.11 from v2024.1...
https://github.com/northpolesec/santa/releases/tag/2024.12
over 1 year ago
0
1
0
Today we're excited to release Santa v2024.11!
github.com/northpolesec...
Highlights: 1. Our initial beta for standalone mode: This lets you authorize binaries using TouchID. So you can live in lockdown mode.
www.youtube.com/watch?v=Hd4t...
loading . . .
Santa Standalone Mode w/Swift UI
YouTube video by Pete Markowsky
https://www.youtube.com/watch?v=Hd4t9mW-C-c
over 1 year ago
1
1
2
Our co-founders (Russell Hancox and
@plm.bsky.social
) were recently on the @MacAdmPodcast talking about Santa and
@northpolesec.bsky.social
podcast.macadmins.org/2024/11/19/e...
loading . . .
Episode 389: North Pole Security & Santa
Santa’s got new digs up at North Pole Security! Join us as we talk with Russell and Pete from North Pole about what Santa’s move means, how it’s developing in the future, and what’s coming next for…
https://podcast.macadmins.org/2024/11/19/episode-389-north-pole-security-santa/
over 1 year ago
0
0
1
Today is Santa's 10th Birthday 🎂🎉. The first commit was from Russell Hancox at 4:23 PM
over 1 year ago
0
1
1
Last week we made our first Open Source release of Santa version 2024.10
github.com/northpolesec...
Highlights: 1. Streamlined UI with silencing options and added a button to copy relevant data to the clipboard to help users report issues / blocks to security
over 1 year ago
1
0
3
you reached the end!!
feeds!
log in
