Back

XCSSET Malware Targets macOS Developers Through Xcode Projects

Severity: High (Score: 69.5)

Sources: Morningstar, edge.prnewswire.com, www.prnewswire.com, Sg.Finance.Yahoo

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: adex, xcsset, infection, malware, publishes, analysis, research

Severity indicators: malware

Summary

The ADEX security team has published a case study on an active XCSSET malware infection affecting an iOS app development studio. XCSSET, a modular macOS malware identified in 2020, embeds itself in Xcode project files and executes during the build process without alerting the developer. This malware is capable of stealing credentials from various sources, including browsers and cryptocurrency wallets, and can propagate itself by injecting into other Xcode projects. The infection is particularly dangerous as it operates silently, inheriting the developer's permissions. The ADEX team captured the malware using a behavioral analysis technique, revealing its complex capabilities, including clipboard hijacking and ransomware functionality. The malware's evolution continues, with new methods documented as recently as 2025. The case study emphasizes the need for heightened security awareness among developers. Key Points: • XCSSET malware infects Xcode projects, executing during the build process. • The malware steals sensitive credentials and can propagate to other projects automatically. • ADEX's analysis highlights the silent nature of the infection and its advanced capabilities.

Detailed Analysis

**Impact** The primary targets are macOS developers, particularly those working with Xcode projects across all Apple platforms. The infection risks supply chain compromise affecting development studios globally, as infected projects propagate through shared repositories like GitHub. Sensitive data at risk includes macOS Keychain credentials, AWS tokens, SSH keys, Git access tokens, browser sessions, and messaging app data. Financial fraud is possible via clipboard hijacking of cryptocurrency addresses, and ransomware capabilities threaten data availability. **Technical Details** XCSSET is a modular malware family embedding itself in Xcode project build phase scripts, executing silently at compile time without elevated privileges. It self-propagates by scanning for and injecting itself into other local Xcode projects. The malware harvests credentials from browsers (Safari, Chrome, Firefox), cryptocurrency wallets, and messaging apps, and establishes persistence as a login item. Initial compromise indicators include repeated short-lived osascript processes spawning from the /tmp directory. The payload is an obfuscated, base64-encoded compiled AppleScript binary. No specific CVEs or infrastructure details were disclosed. **Recommended Response** Defenders should monitor for anomalous osascript process activity, especially short-lived executions from the /tmp directory. Inspect Xcode project build phase scripts for unauthorized additions and verify repository integrity before building. Enforce strict access controls on developer workstations and repositories, and audit credential storage and usage. There are no patches mentioned; focus on behavioral detection and supply chain hygiene to mitigate infection and propagation risks.

Source articles (4)

  • ADEX Publishes Analysis of XCSSET Malware: Research Details How Active Infection ... — Sg.Finance.Yahoo · 2026-05-19
    LIMASSOL, Cyprus , May 19, 2026 /PRNewswire/ -- The ADEX security team has released a detailed technical case study documenting a live XCSSET infection detected, captured, and analyzed within a client…
  • ADEX Publishes Analysis of XCSSET Malware: Research Details How Active Infection ... — Morningstar · 2026-05-19
    LIMASSOL, Cyprus , May 19, 2026 /PRNewswire/ -- The ADEX security team has released a detailed technical case study documenting a live XCSSET infection detected, captured, and analyzed within a client…
  • Adex Publishes Analysis Of Xcsset Malware Research Details How Active Infection Spreads Silently Through Xcode Projects Github Repositories And Developer Credentials 302775907 — www.prnewswire.com · 2026-05-19
    LIMASSOL, Cyprus , May 19, 2026 /PRNewswire/ -- The ADEX security team has released a detailed technical case study documenting a live XCSSET infection detected, captured, and analyzed within a client…
  • Link — edge.prnewswire.com · 2026-05-19
    MacOS has long been considered inherently resistant to malware, but the threat landscape tells a different story. Attacks targeting the Apple ecosystem are more frequent and sophisticated than commonl…

Timeline

  • 2020-06-01 — XCSSET malware first identified: XCSSET was first discovered as a modular macOS malware targeting developers through Xcode.
  • 2025-01-01 — New injection methods documented: Microsoft reported new injection techniques used by XCSSET, indicating its ongoing evolution.
  • 2026-05-19 — ADEX publishes case study on live infection: ADEX released a detailed analysis of a live XCSSET infection affecting an iOS app development studio.

Related entities

  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Cyprus (Country)
  • code.at (Domain)
  • launchpad.app (Domain)
  • netcdndev.in (Domain)
  • riggletoy.ru (Domain)
  • [email protected] (Email)
  • XcodeGhost (Malware)
  • Xcsset (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1059.005 - Visual Basic (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1115 - Clipboard Data (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
  • T1547.002 - Authentication Package (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1555.003 - Credentials From Web Browsers (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Chrome (Tool)
  • Curl (Tool)
  • Dockutil (Tool)
  • Git (Tool)
  • Osascript (Tool)
  • Firefox (Platform)
  • GitHub (Platform)
  • IOS (Platform)
  • MacOS (Platform)
  • Safari (Platform)
  • Xcode (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed