Researchers at XM Cyber detailed a macOS technique that lets an attacker with only standard user privileges disable enterprise security tools and call privileged functions, with no admin credentials, kernel exploit, or alerts. It abuses how macOS caches an application's code signature: once cached, the system keeps trusting the app even after an attacker modifies its components, letting a normal user impersonate trusted code and reach privileged XPC services by injecting into interface files. The team showed it disabling CrowdStrike Falcon and Kandji's MDM agent. CrowdStrike and Kandji have fixed their products, with Kandji assigning CVE-2026-39118, but XM Cyber frames the root cause as a flaw in macOS itself.