MacTrojanAlerts.swift

// $t@$h
// This script does a one time scan of Downloads then polls
// at regular intervals and inspects Downloads on MacOS.
// It does NOT modify the system in any way.
// TODO: What I would like to do with this is add known
// hashes of trojan'd artifacts and search upon those. It's
// not absolute due to polymorphism but a step up from this
import Foundation

let pollingInterval: TimeInterval = 60
var lastCheckedDate: Date?

func checkForRecentPKGFiles() {
    let fileManager = FileManager.default
    let downloadsPath = NSHomeDirectory() + "/Downloads/"

    do {
        let files = try fileManager.contentsOfDirectory(atPath: downloadsPath)
        let pkgFiles = files.filter { $0.hasSuffix(".pkg") }

        if !pkgFiles.isEmpty {
            print("!!!Caution, .PKGs found in Downloads:")
            pkgFiles.forEach { print($0) }
        }

        let sortedFiles = pkgFiles.map { (fileName) -> (String, Date) in
            let filePath = downloadsPath + fileName
            let attributes = try? fileManager.attributesOfItem(atPath: filePath)
            let modificationDate = attributes?[.modificationDate] as? Date ?? Date.distantPast
            return (fileName, modificationDate)
        }

        let recentFile = sortedFiles.max(by: { $0.1 < $1.1 })
        if let recentFileName = recentFile?.0 { print("Most recent PKG file: \(recentFileName)") }
        lastCheckedDate = Date()
    } catch {
        print("Error checking Downloads.")
    }
}

checkForRecentPKGFiles() // One-time

// Continuous poll
while true {
    if let lastCheckedDate = lastCheckedDate, Date().timeIntervalSince(lastCheckedDate) >= pollingInterval {
        checkForRecentPKGFiles()
    }
    sleep(UInt32(pollingInterval))
}