Security Researchers Discover XcodeSpy Malware That Targets Developers - MacRumors
Skip to Content

Security Researchers Discover XcodeSpy Malware That Targets Developers

by

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu 2 1
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Tag: Xcode

Popular Stories

xcode ios 27

Apple Unveils Xcode and Foundation Models Framework Improvements

Monday June 8, 2026 12:05 pm PDT by
Apple today announced a new Foundation Models framework for developers alongside a set of Xcode enhancements aimed at agentic coding workflows. The Foundation Models framework gains image input support, allowing developers to pass images alongside text into on-device models. Apple also introduced custom skills and server-side model execution as part of the framework, giving developers more...
Read Full Article6 comments
Apple Logo Spotlight Blue

Apple Unveiled These Five New Apps Last Week

Saturday June 20, 2026 8:00 am PDT by
Apple last week unveiled five new apps, with four announced at WWDC 2026 alongside its upcoming fall software updates, one released in beta for developers, and one released independently by its subsidiary Claris. Siri AI App One of the biggest announcements of WWDC 2026 was Siri AI, a ground-up rebuild of Apple's voice assistant that for the first time comes with a dedicated standalone...
Read Full Article38 comments
Apple Watch Ultra Orange Alpine Loop Action button 220907 big

Apple Explains Why watchOS 27 Drops Support for So Many Models

Friday June 19, 2026 6:07 am PDT by
Apple today detailed why five Apple Watch models will miss out on watchOS 27 and the new Siri AI features that come with it. The Apple Watch Series 6, 7, 8, SE 2, and the original Apple Watch Ultra will not receive watchOS 27, and will only get basic security updates going forward. With the update, Apple is effectively dropping three years' worth of device support in a single software...
Read Full Article273 comments

Top Rated Comments

jonnysods Avatar
jonnysods
69 months ago
Get ready for lots of Justin Long Intel videos about this next week.
Score: 9 Votes (Like | Disagree)
Apple_Robert Avatar
Apple_Robert
69 months ago

Laughing on my Linux developer laptop.
What is so funny? It's not like Linux hasn't had Malware problems.
Score: 7 Votes (Like | Disagree)
I7guy Avatar
I7guy
69 months ago
Comes under the heading, be very careful about what you download.
Score: 6 Votes (Like | Disagree)
hot-gril Avatar
hot-gril
69 months ago

Why is it being called a Trojan when it has to be actively installed?
Cause that's what trojans are.
Score: 5 Votes (Like | Disagree)
hot-gril Avatar
hot-gril
69 months ago

Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
Score: 4 Votes (Like | Disagree)
Unsupported Avatar
Unsupported
69 months ago

Why is it being called a Trojan when it has to be actively installed?
https://usa.kaspersky.com/resource-center/threats/trojans

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks

Modifying data?

So it could infect the project that the developer is working on?

Nasty!
Score: 3 Votes (Like | Disagree)
Read All Comments