techby The Ghost in The Prompt2026-04-246 min read

Apple Never Cleans Up After Itself

You've been deleting apps on your Mac for years. They are not gone. Here's what's still living in your walls — and the prompt that finds it.

A note on this one: I handed the keys to Claude and watched it run a forensic sweep of the Library. Some of what it found surprised me. More of it should have surprised me years ago. We wrote this together.

Apple built the most elegant uninstall experience in consumer computing. You drag the app to the Trash. The app is gone. Clean. Simple. The metaphor holds.

It doesn't actually work that way.

I have been using Macs for longer than I want to calculate. I know the Library like the back of a familiar room. And I spent years — years — with a machine that felt subtly wrong. A little slow. A little warm. Background processes I didn't recognize. A /Library full of folders for apps I deleted in 2021. I kept cleaning what I could see. I ignored what I couldn't.

Turns out I wasn't the only one. Turns out this is a main thing.

Here is what happens when you install almost any app on macOS. The app itself goes into /Applications as a tidy little bundle — self-contained, portable, everything in one place. That is the elegant part. Apple got that right.

But the app also writes to ~/Library/Application Support. It registers background processes in ~/Library/LaunchAgents or /Library/LaunchDaemons. If it needs root access to do something — manage a disk, hook into the kernel, run a VPN driver — it drops a binary into /Library/PrivilegedHelperTools. Sometimes it installs a kernel extension.

None of those things go away when you drag the app to the Trash.

The app leaves. Its footprint stays. Its LaunchAgent keeps running. The folder in Application Support keeps sitting there. The privileged helper keeps breathing in the background, waiting for a parent that no longer exists. Your machine is full of ghosts from software you thought you ended years ago.

Apple has known about this for decades. They built Gatekeeper, notarization, sandboxing, the App Store with its surgical install and remove. For apps downloaded outside the App Store — which is most of them — they gave you drag-and-drop and called it a day. Nobody at Apple ever shipped a native uninstaller for the general case. There's a whole cottage industry of third-party tools (AppCleaner, CleanMyMac, others) that exists entirely because Apple left this gap open.

The house metaphor is pretty accurate. Every app you've ever installed left furniture in the walls. You threw out the tenant. The furniture is still there.

The thing that got my attention was Disk Drill.

I deleted Disk Drill a long time ago. Good app. Didn't need it anymore. Gone. Except: it had installed a privileged helper tool — a binary with root access — that was still running. On a machine with no Disk Drill. Just a lonely driver sitting in /Library/PrivilegedHelperTools, fully privileged, waiting. Registered in LaunchDaemons. Starting on every boot.

That is the kind of thing that, when you say it out loud, sounds like something is wrong with the operating system.

Something is wrong with the operating system.

HACK LOVE BETRAY
COMING SOON

HACK LOVE BETRAY

Mobile-first arcade trench run through leverage, trace burn, and betrayal. The City moves first. You keep up or you get swallowed.

VIEW GAME FILE

So I sat down with Claude and ran a proper audit. Not paranoid, not dramatic — just methodical. The same approach I'd take to auditing anything else: cross-reference what should be there against what is, flag the mismatches, escalate the genuinely weird ones.

What came back was instructive.

There were orphaned Application Support folders for apps I'd deleted across two machine migrations. There were LaunchAgents for software I hadn't thought about in years, scheduled to phone home on a timer. There was a kernel extension from a piece of software I will not name but which had no business being in the kernel. There was telemetry infrastructure for an app that no longer existed, still faithfully recording crashes for a process that hadn't run since a previous macOS version.

None of it was catastrophic. Most of it was just junk. But some of it had root access. Some of it was making network calls. All of it was slowing down a machine imperceptibly, day after day, until the machine that should feel fast felt merely fine.

Deleting the definitive orphans was straightforward. The suspicious ones we looked at more carefully before touching anything.

The machine is noticeably lighter.

We packaged the audit logic into a prompt you can use. Hand it to Claude (or any capable agent) in a fresh session. It will cross-reference your installed apps against what's living in the Library, identify the orphans, flag the persistent hooks, and check whether anything in your privileged infrastructure doesn't belong.

Give it the names of your active development projects — Claude Code folders, Xcode workspaces, whatever you're running — and it will leave them alone. Everything else is fair game.

Goal: Perform a Security & Remnant Audit of the macOS Library.

--- PHASE 1: Cross-Reference ---
List all apps in /Applications.
Identify "Orphans": folders in ~/Library/Application Support and
/Library/Application Support that do NOT have a corresponding app
in /Applications.

--- PHASE 2: Background Hook Audit ---
List all non-Apple .plist files in:
  /Library/LaunchDaemons
  /Library/LaunchAgents
  ~/Library/LaunchAgents

Flag any that point to orphaned applications, or have suspicious
names (random strings, "crack", "patch", or raw shell scripts).

--- PHASE 3: Privilege & Anomaly Scan ---
Check /Library/PrivilegedHelperTools for non-Apple binaries.
Check for non-Apple kernel extensions via: kmutil showloaded
Search for orphaned telemetry files (SensorsAnalytics entries,
CrashReporter logs for deleted apps).

--- PHASE 4: Mandatory Protection ---
DO NOT TOUCH: com.apple.* system folders.
DO NOT TOUCH: Anything related to [list your dev projects here —
Xcode, Claude Code, GitHub, OpenAI, your active repos].

--- PHASE 5: Reporting ---
Return two lists:
1. DEFINITIVE REMNANTS — safe to delete (orphaned folders with
   no active parent app, confirmed dead LaunchAgents).
2. SUSPICIOUS ANOMALIES — requires your review (privileged helpers,
   kernel extensions, anything making network calls for a deleted app).

Do not delete anything. Report only.

That last line matters. Let the audit run first. Review the lists. Then make the calls yourself.

One thing Claude pointed out that I want to pass on: the best time to run this is immediately after you delete an app you don't fully trust. The scent is fresh. The connections between the remnant and the app are obvious. Wait six months and the orphan just looks like mystery furniture.

Run it after every sketchy uninstall. Run it after every macOS major version. Run it any time your machine starts feeling like it's working harder than it should be.

Apple made a beautiful operating system. They just never finished the last ten percent of the garbage collection. You have to do that part yourself.

We did. It helped.

Companion piece: if you want to see what happens when you put persistence hooks on the attacking side of this equation, La Pecorina is exactly that — a browser extension that demonstrates how long a deleted tool can keep reaching into your machine.

Continue Reading

workflow

Dashboards Are Tactical Displays

The boring log entry is not boring. It is signal inside noise. ggplot2 and Seaborn are not academic tools — they are how you see the heartbeat of a hidden process, the geography of a coordinated attack, the smoothed-over spike of an active exfiltration.

digital-society

The Interview That Didn't Happen (Yet)

I hate podcasts. I mean that without irony or qualification. The format attracts a specific kind of performative thoughtfulness that makes me want to close every tab within forty seconds. One show is different. This is what it would sound like if they called.