How to Check Your Mac for a Keylogger

Keyloggers are one of those threats that feel almost cinematic — someone silently recording every single keystroke you make, capturing passwords, messages, credit card numbers, everything. But they're not just a movie plot. They're real, they run on Macs, and they're more common than most Mac users think.

That said, let's keep this in perspective. The vast majority of Mac users will never encounter a keylogger in the wild. macOS has strong protections against them, especially since Catalina introduced stricter permission controls. But "unlikely" isn't the same as "impossible," and if you have reason to be suspicious — or you just want to be thorough — here's how to actually check.

First, Understand What You're Looking For

There are three kinds of keyloggers that can affect your Mac:

Software keyloggers run as applications or background processes. They capture keystrokes through macOS APIs and either log them locally or send them to a remote server. These are the most common type on Macs. Some are disguised as legitimate utilities.

Hardware keyloggers are physical devices plugged between your keyboard and your Mac, or embedded inside a USB keyboard itself. They don't show up in any software scan because they operate at the hardware level. Less common on laptops (you'd notice something plugged into your MacBook), but worth checking if you use an external keyboard at work or a shared space.

Kernel-level keyloggers hook into the operating system at a deep level. These are rare on modern macOS because Apple's System Integrity Protection and kernel extension restrictions make them extremely difficult to install. On Sequoia and Sonoma, a kernel-level keylogger would need to bypass multiple layers of protection. Not impossible, but unlikely unless you're being targeted by a well-funded attacker.

Check Input Monitoring Permissions

This is the first and most important place to look. Starting with macOS Catalina, Apple introduced an Input Monitoring permission that controls which apps can monitor keyboard input. Any legitimate app that needs to see your keystrokes — and some illegitimate ones — should appear here.

Go to System Settings > Privacy & Security > Input Monitoring.

Look at every app on this list. You should recognize all of them. Common legitimate entries include Karabiner-Elements (keyboard customization), certain accessibility tools, and some password managers. If you see an app you don't recognize, or one you didn't install, that's a serious red flag.

Here's the thing though: not all keyloggers will show up here. A well-crafted keylogger might use accessibility APIs or other techniques to capture keystrokes without triggering this permission prompt. But many commercial keyloggers and stalkerware products do appear in Input Monitoring, so it's a good first check.

While you're in Privacy & Security, also check Accessibility. Apps with Accessibility access can monitor and control your Mac in broad ways, including intercepting keystrokes. This list tends to be longer than Input Monitoring, and honestly, most people have never reviewed it.

Dig Into Launch Agents and Launch Daemons

The first thing I do on any new Mac is check what's in ~/Library/LaunchAgents. This is where persistence mechanisms live — programs that automatically start when you log in or when your Mac boots. Keyloggers need to survive restarts, and LaunchAgents are the most common way they do it.

Open Terminal and run:

ls -la ~/Library/LaunchAgents/

You'll see a list of .plist files. Each one tells macOS to run a specific program at login. The filenames usually follow reverse-domain notation, like com.google.keystone.agent.plist (that's Google's auto-updater, totally legitimate). Look for anything you don't recognize — especially entries with vague or generic names.

Now check the system-level directories:

ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/

LaunchDaemons run as root and start at boot time, even before any user logs in. A keylogger running as a LaunchDaemon has elevated privileges and is harder to spot.

If you find a suspicious plist file, read it:

cat ~/Library/LaunchAgents/suspicious-file.plist

Look at the ProgramArguments key. It tells you exactly what executable the plist is launching and where it lives on disk. If it points to something in /tmp, a hidden folder, or a random location in your home directory, that's not normal.

I've personally seen Macs that were "clean" according to traditional antivirus but had three sketchy LaunchAgents running in the background. Antivirus looks for known malware signatures. LaunchAgents are just configuration files — they're not inherently malicious, so signature-based tools often miss them entirely.

Search for Suspicious Files in Library Folders

Keyloggers need to store their logs somewhere. Common locations include hidden folders in your home directory, temporary directories, and various spots inside ~/Library.

Check for hidden files and folders:

ls -la ~/Library/Application\ Support/ | head -30

Look for folders with names you don't recognize. Legitimate apps use this directory, so there'll be a lot here — but you should be able to identify most of them. A folder called something like .keydata or SystemService that doesn't correspond to any app you know? Investigate it.

Also check the logs directory:

ls -la /var/log/ | grep -v ".bz2"

And look for recently modified files in spots where keyloggers sometimes stash their captures:

find ~/Library -name "*.log" -mtime -7 -not -path "*/Caches/*" 2>/dev/null

That command finds .log files in your Library folder that were modified in the last 7 days, excluding caches. If a keylogger is writing captured keystrokes to a log file, this might surface it.

Check for USB Hardware Keyloggers

This one's straightforward but often overlooked. If you use an external keyboard, especially in an office or shared workspace, it's worth checking for a physical device between your keyboard's USB cable and your Mac.

Hardware keyloggers look like small USB adapters or dongles. They sit inline between the keyboard plug and the computer port, recording everything that passes through. Some newer ones look nearly identical to regular USB adapters.

You can also check what USB devices your Mac sees:

ioreg -p IOUSB -l | grep -i "product\|vendor\|class"

This lists all USB devices with their product names and vendor information. You should see your keyboard, mouse, any external drives, and other peripherals you've connected. If there's a device listed that you don't recognize — especially one between your keyboard and your Mac — unplug it and see if your keyboard still works. If it does, that "adapter" wasn't part of your keyboard.

Honestly, for laptop users with built-in keyboards, hardware keyloggers aren't really a concern. But if you're in an environment where someone else has physical access to your workstation, it's a 30-second check worth doing.

Look at Running Processes

Open Activity Monitor (it's in Applications > Utilities) and sort by CPU. Then sort by name. Scan through the list and look for processes you don't recognize.

For a more targeted search, use Terminal:

ps aux | grep -i -E "key|log|monitor|capture|record" | grep -v grep

This filters running processes for names containing common keylogger-related keywords. It's not foolproof — a keylogger could be named anything — but it catches the obvious ones.

You can also check for processes making network connections, since many keyloggers send captured data to a remote server:

lsof -i -n -P | grep ESTABLISHED

This shows all active network connections. Look for processes you don't recognize that have established connections to external IP addresses. A legitimate system process connecting to an Apple server is normal. An unknown process connecting to a random IP on a non-standard port? That deserves investigation.

This is actually one of the things we built CoreLock to handle — scanning every running process, checking its code signature, and flagging anything that's making unexpected network connections. Doing it manually works, but it's tedious when you're looking at 300+ processes.

The Legitimate Keylogger Problem

Here's a genuine counterpoint I should mention: not all keyloggers are malicious.

Some parents install monitoring software on their kids' Macs. Some employers install them on company-owned machines (usually with an employee agreement). Some accessibility tools technically function as keyloggers because they need to read input to provide their features.

Products like Kidlogger, Refog, and various "parental control" suites include keystroke logging as a feature. If you find one of these on your Mac and you're using a company machine or a family computer, it might be there intentionally.

That doesn't mean you have to be comfortable with it. But it's worth knowing the context before you assume the worst. If it's a personal Mac that only you use and you find monitoring software on it, that's a very different situation than finding parental controls on a teenager's MacBook.

What to Do If You Find One

If you actually find a keylogger — a process or LaunchAgent you can confirm is logging your keystrokes — here's the immediate action plan:

Stop using that Mac for anything sensitive. Don't type passwords, credit card numbers, or anything private until the keylogger is removed.

Kill the process. In Activity Monitor, select it and click the X button. Or from Terminal:

kill -9 <PID>

Remove the persistence mechanism. Delete the LaunchAgent or LaunchDaemon plist file, and delete the executable it points to:

rm ~/Library/LaunchAgents/suspicious-file.plist
rm /path/to/suspicious/executable

Change your passwords. From a different, clean device. Assume every password you've typed on the compromised Mac has been captured. Start with email and banking, then work outward.

Run a full security scan. Tools like CoreLock can check for any remaining persistence mechanisms, suspicious processes, or permission grants you might have missed manually. A keylogger might be just one part of a larger compromise.

Prevention Going Forward

A few habits that make keyloggers much harder to install:

Keep macOS updated. Sequoia and Sonoma have strong protections against unauthorized input monitoring. Don't skip updates — they patch the vulnerabilities that keyloggers exploit.

Review your Input Monitoring and Accessibility permissions every few weeks. It takes 30 seconds. If something new appeared that you didn't authorize, investigate immediately.

Don't install software from random websites. The most common way keyloggers get onto Macs is through trojanized applications downloaded outside the App Store. Stick to the App Store or developers you trust, and pay attention to Gatekeeper warnings.

Be cautious with physical access. If you're in an environment where someone else could install software on your Mac while you're away, use a strong login password and set your lock screen timeout to something short — 2 minutes, not 30.

The truth is, macOS makes it pretty hard for keyloggers to operate without leaving traces. The permission system, code signing requirements, and SIP all work together to make unauthorized input monitoring difficult. But "difficult" isn't "impossible," and checking takes less time than worrying about it.