Hello pandabeta, that is indeed a suspicious program you have got there. The binary sh should typically reside in /bin/sh and is always signed by Apple and definitely not from an "unidentified developer". This is a big red flag ⛳ in my opinion, and I suspect that this sh binary is not original but some malware. Allow me to assist you in your investigation further. We'll first attempt to locate this suspicious binary. Could you fire up your terminal.app and type this command into the terminal. find /Library/LaunchAgents /Library/LaunchDaemons ~/Library/LaunchAgents -type f -exec echo "{}" \; -exec plutil -p "{}" \; Do also let me know if your mac is running on an Intel architecture or apple silicon You can either post the output of the command here, or if you prefer more privacy, email it to me at simplysecuriti [at] protonmail [dot] com Glad to help!

Hello FancyHan Yes, unlike macOS, all data on your iPhone is encrypted by default. https://support.apple.com/en-sg/guide/security/sece3bee0835/web

Is curl trying to write to a write-protected sandboxed location? curl(3204) deny(1) system-privilege 10006 This clearly shows that the sandbox is killing curl. The error code when matched to the XNU source here #define PRIV_NET_PRIVILEGED_NECP_MATCH 10006 /* Privilege verified by Network Extension policies */ There is also a related thread with someone facing the same error code as you, perhaps this may help: List of system privileges