Security Researchers Discover XcodeSpy Malware That Targets Developers - MacRumors
Skip to Content

Security Researchers Discover XcodeSpy Malware That Targets Developers

by

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu 2 1
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Tag: Xcode

Popular Stories

xcode ios 27

Apple Unveils Xcode and Foundation Models Framework Improvements

Monday June 8, 2026 12:05 pm PDT by
Apple today announced a new Foundation Models framework for developers alongside a set of Xcode enhancements aimed at agentic coding workflows. The Foundation Models framework gains image input support, allowing developers to pass images alongside text into on-device models. Apple also introduced custom skills and server-side model execution as part of the framework, giving developers more...
Read Full Article6 comments
Apple Event Logo

Apple to Release These 15 New Products Later This Year

Friday June 12, 2026 7:45 am PDT by
Apple's annual WWDC developers conference is drawing to a close, but there is still a lot to look forward to in the second half of the year. Apple is expected to release at least 15 more products later this year. Now that the more intelligent and personal version of Siri has finally arrived in beta, a full two years after Apple first previewed it at WWDC 2024, we should begin to see some new ...
Read Full Article45 comments
iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Tuesday June 9, 2026 11:29 am PDT by
If you pay for extra iCloud storage on your iPhone, beyond the 5GB included for free, you might receive two more perks on iOS 27 at no additional cost. First, Apple said there will be daily usage limits for some of the new and enhanced Apple Intelligence features on iOS 27, including image generation. However, the company noted that "increased access" is available with "most" iCloud+ storage ...
Read Full Article

Top Rated Comments

jonnysods Avatar
jonnysods
69 months ago
Get ready for lots of Justin Long Intel videos about this next week.
Score: 9 Votes (Like | Disagree)
Apple_Robert Avatar
Apple_Robert
69 months ago

Laughing on my Linux developer laptop.
What is so funny? It's not like Linux hasn't had Malware problems.
Score: 7 Votes (Like | Disagree)
I7guy Avatar
I7guy
69 months ago
Comes under the heading, be very careful about what you download.
Score: 6 Votes (Like | Disagree)
hot-gril Avatar
hot-gril
69 months ago

Why is it being called a Trojan when it has to be actively installed?
Cause that's what trojans are.
Score: 5 Votes (Like | Disagree)
hot-gril Avatar
hot-gril
69 months ago

Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
Score: 4 Votes (Like | Disagree)
Unsupported Avatar
Unsupported
69 months ago

Why is it being called a Trojan when it has to be actively installed?
https://usa.kaspersky.com/resource-center/threats/trojans

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks

Modifying data?

So it could infect the project that the developer is working on?

Nasty!
Score: 3 Votes (Like | Disagree)
Read All Comments