New Mac Malware Found to Infect via Xcode - MacRumors
Skip to Content

New Mac Malware Found to Infect via Xcode

Security researchers at Trend Micro have discovered a new kind of Mac malware which can "command and control" a target system.

xcode 6

The researchers described the malware, which is part of the XCSSET family, as "an unusual infection related to Xcode developer projects." The malware is unusual because it is injected into Xcode projects, and when the project is built, the malicious code is run. A developer's Xcode project was found to be able to contain the malware, which "leads to a rabbit hole of malicious payloads."

The discovery poses a significant risk for Xcode developers. Trend Micro identified developers affected by the malware who share their projects via GitHub, leading to a potential supply-chain attack for users who rely on repositories for their own projects. Google's VirusTotal scanning software managed to identify the malware, which indicates the threat is at large.

The malware spreads via infected Xcode projects because it can create maliciously modified applications. Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in Javascript, and in turn modify displayed websites, steal private banking information, block password changes, and steal newly modified passwords. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Affected developers may unwittingly distribute the trojan to their users in the form of compromized Xcode projects and built applications. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection as the developers would be unaware that they are distributing malicious files.

To protect against this type of threat, Trend Micro encourages users to only download apps from official marketplaces and consider multilayered security solutions.

Popular Stories

xcode ios 27

Apple Unveils Xcode and Foundation Models Framework Improvements

Monday June 8, 2026 12:05 pm PDT by
Apple today announced a new Foundation Models framework for developers alongside a set of Xcode enhancements aimed at agentic coding workflows. The Foundation Models framework gains image input support, allowing developers to pass images alongside text into on-device models. Apple also introduced custom skills and server-side model execution as part of the framework, giving developers more...
Apple Acquires Award Winning App Play Feature

Apple Acquires Award-Winning App 'Play'

Monday June 29, 2026 7:39 am PDT by
In February, Apple notified the European Commission that it would be acquiring certain assets from and have the right to hire certain employees from Rabbit 3 Times, the company behind the award-winning app design tool Play. The notification was published on the European Commission's website this week, following a four-month waiting period. Play was a Mac and iPhone app that allowed designers ...
iPhone 18 Pro Deep Red Feature

Apple 'Concerned' Over iPhone 18 Pro Data Leak From Supplier Tata

Monday June 29, 2026 11:46 am PDT by
Apple is "concerned" about a recent data leak from Tata Electronics, one of its manufacturing partners in India, reports Reuters. Tata Electronics was the target of a cyberattack, with confidential Apple documents stolen and shared on the dark web. Hackers were able to steal information about the iPhone 18 Pro and iPhone 18 Pro Max, including a list of suppliers, parts, and images of the...

Top Rated Comments

77 months ago
If only there was the technology to prevent this spread. Perhaps something similar to containing a bunch of sand in some kind of box-shaped enclosure.
Score: 15 Votes (Like | Disagree)
russell_314 Avatar
77 months ago
This is why we can’t have nice things 😂
Score: 11 Votes (Like | Disagree)
77 months ago
Now imagine if the malware made it into a Mac App Store app.

This is why we notarize our Mac apps.
Score: 7 Votes (Like | Disagree)
Scottsoapbox Avatar
77 months ago
Can't blame the non-tech savy people for this one.
Score: 6 Votes (Like | Disagree)
lostngone Avatar
77 months ago
Good thing I never migrated to Xcode... CodeWarrior Pro 4 is the only way to compile!
Score: 6 Votes (Like | Disagree)
77 months ago
This whole thing is super fishy. From Trend Micro's technical brief:


We have found two Xcode projects infected by the malware from researching online. One happened on July 13 and the other on July 31. Fortunately, these projects are not too relevant for other users to download and integrate these into their own projects. Still, this proves how dangerous the XCSSET malware could be for developers.
This is really the definition of FUD, no?

So out of the millions of users on GitHub and trillions of lines of code, Trend Micro found just 2 repos with Mac malware?

No self-respecting developer is going to ever use these two repos in the first place. Developers use projects with good documentation that serve an actual need.

Occam's razor more likely says they found malware authors posting to GitHub. A conspiracy theorist might even say they perhaps planted it themselves.

And why are these repos even still active? Malware is against GH's TOS. If Trend Micro actually cared, they'd report these repos as nefarious. Otherwise they have little proof as reporting anything.

And on the linked page:

To protect systems from this type of threat, users should only download apps from official and legitimate marketplaces. Users can also consider multilayered security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multidevice protection against cyberthreats. Enterprises can take advantage of Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of
Alerting users to security threats is one thing. Hawking your products at the exact same time is a little desperate IMO.
Score: 5 Votes (Like | Disagree)