Reverse-engineered from a live Cursor Cloud Agent session running
claude-4.6-opus-high-thinking. All findings are based on runtime inspection of/exec-daemon/index.js(15MB webpack bundle, 379K lines), process inspection, network analysis, and system introspection. Date: February 25, 2026.
Max Schmitt mxschmitt
mxschmitt
/ Cursor-Cloud-Agent.md
Created
March 9, 2026 21:35
mxschmitt
/ Odyssey Stealer writeup.md
Last active
February 5, 2026 18:58
This repository contains an analysis of a macOS infostealer delivered via a ClickFix social engineering attack hosted on testdino.com. The malware is an instance of Odyssey Stealer (a rebrand of Poseidon Stealer, itself a fork of AMOS/Atomic Stealer) -- a sophisticated macOS credential and cryptocurrency theft tool distributed as Malware-as-a-Service (MaaS) by a Russian-speaking threat actor known as "Rodrigo."
The victim was tricked into pasting a malicious command into their macOS Terminal through a fake CAPTCHA verification page.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Download | |
| run: Invoke-WebRequest https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-amd64.zip -OutFile ngrok.zip | |
| - name: Extract | |
| run: Expand-Archive ngrok.zip | |
| - name: Auth | |
| run: .\ngrok\ngrok.exe authtoken $Env:NGROK_AUTH_TOKEN | |
| env: | |
| NGROK_AUTH_TOKEN: ... | |
| - name: Enable TS | |
| run: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 |
mxschmitt
/ gist:1853efa074b7461a1fd5c402e566a7fe
Last active
September 11, 2023 16:41
Docker image cache overview
.NET:
- no cache hit (probably because we sign and its then different, or because we do a local install)
- we still have the 600 MB cache folder (which never gets used)
Python:
- no cache hit
- 0MB cache (probably local install does not end up in the cache)
Java:
Get your list of versions from here: https://nodejs.org/download/nightly/
v20.0.0-nightly20221021eb32a8443a/ 21-Oct-2022 07:30 - good
v20.0.0-nightly20221031e43ecd5fec/ 31-Oct-2022 07:30 -
v20.0.0-nightly20221101590cf569fe/ 01-Nov-2022 07:00 -
v20.0.0-nightly20221111916af4ef2d/ 11-Nov-2022 06:30 -
v20.0.0-nightly20221121abadaca982/ 22-Nov-2022 19:00 -
v20.0.0-nightly202212013bed5f11e0/ 01-Dec-2022 07:00 -
v20.0.0-nightly20221202cc2732d764/ 05-Dec-2022 17:00 -
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Writing a polyfill for window.safari.pushNotification. | |
| // Source https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/NotificationProgrammingGuideForWebsites/PushNotifications/PushNotifications.html | |
| (() => { | |
| type Permission = 'default' | 'denied' | 'granted'; | |
| class SafariRemoteNotification { | |
| permission(websitePushID: string) { | |
| return new SafariRemoteNotificationPermission(null, 'default') | |
| } |
mxschmitt
/ automation.js
Last active
November 30, 2022 23:54
Connect to Chromium DevTools Panel using Playwright https://github.com/mxschmitt/devtools-extension
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // @ts-check | |
| import { chromium } from 'playwright'; | |
| import assert from 'node:assert'; | |
| import path from 'node:path'; | |
| process.env.PW_CHROMIUM_ATTACH_TO_OTHER = '1'; | |
| (async () => { | |
| const pathToExtension = path.dirname(new URL(import.meta.url).pathname); | |
| const context = await chromium.launchPersistentContext('', { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import { Page } from '@playwright/test'; | |
| /** | |
| * This is a Page Object Model (POM) class for the application's Todo page. It | |
| * provides locators and common operations that make writing tests easier. | |
| * @see https://playwright.dev/docs/test-pom | |
| */ | |
| export class TodoPage { | |
| /** | |
| * Locators are used to reflect a element on the page with a selector. |
mxschmitt
/ README.md
Last active
June 30, 2021 15:58
Use Istanbul coverage collection with Playwright Test (https://github.com/microsoft/playwright/issues/7030)
mxschmitt
/ gist:303ed443a0219dce51633ceb9eedb97e
Created
October 22, 2020 16:32
Try Playwright new architecture (http://try.playwright.tech)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Try Playwright (try.playwright.tech) rewrite | |
| +-----------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------+ | |
| | Before | | N times After N times | | |
| | 1x time 1x time | | +------------------------+ +------------------------------------------------+ | | |
| | +------------------+ +------------------------+ | | | | | | | | |
| | | | | | | | | Frontend (LB) | +------------------+ |
NewerOlder