Microsoft warns of a new XCSSET macOS malware variant targeting Xcode developers. The modular infostealer hijacks notes, browser data, and crypto wallets via infected projects.
Microsoft’s Threat Intelligence team has identified a new variant of the macOS XCSSET malware that specifically targets developers using Xcode projects. This modular infostealer installs itself in shared Xcode project files so that the malicious code runs whenever an infected project is built. In practice, the malware can quietly harvest data like passwords, Apple Notes content, browser credentials, and cryptocurrency wallets from a developer’s machine. Although Microsoft reports only a few confirmed incidents so far, this alert highlights a broader rise in supply-chain and developer-focused attacks. (Recent industry reports note that software supply-chain attacks even doubled in 2024, underscoring the growing risks to development workflows.)
What Is XCSSET and How It Works
XCSSET first emerged in 2020 and is designed to leverage the collaborative nature of software development. The malware infects Xcode app project files — commonly shared among Apple developers — so that building the project causes the malware to execute. Once active, XCSSET steals sensitive information: it can extract private notes, crypto-wallet credentials, and browser data (even from browsers like Chrome or Firefox). By hiding inside a project file, XCSSET capitalizes on the trust developers place in shared code repositories. In effect, one infected project can compromise multiple developers who build that code, making it a potent developer-targeted threat.
New Variant Features and Tactics
The latest XCSSET variant adds advanced stealth and persistence capabilities. For example, it now targets Firefox by deploying a modified “HackBrowserData” tool to decrypt and steal browser credentials. Importantly, it also includes clipboard hijacking: when the malware sees a cryptocurrency address on the clipboard, it replaces it with an attacker’s address, effectively diverting any digital currency sent from the machine. To stay active, the malware adds new persistence mechanisms — creating LaunchDaemon entries to relaunch itself and even faking system apps (like a dummy System Settings app) to hide its presence. These updates, along with improved code obfuscation, make XCSSET harder to detect and remove.
Developer-Targeted Supply Chain Threats
XCSSET’s focus on Xcode projects is part of a larger trend: attackers are increasingly targeting the software supply chain and development tools. A Sonatype report notes that supply-chain attack detections doubled in 2024. In this context, developer machines and repositories become lucrative targets. An infected project or library can spread malware across many organizations if developers unknowingly build and redistribute it. The XCSSET case exemplifies this risk: by undermining the build process itself, the attackers can exfiltrate data from any developer or user of the compromised app. In short, even a small infection can have outsized impact across the software ecosystem.
How to Protect Your Development Environment
Microsoft and security experts emphasize vigilance. First, keep macOS and all development tools patched — previous XCSSET variants exploited known macOS flaws (including zero-days), so updates can block known attack methods. Second, scrutinize Xcode projects from others: before building code from a colleague or open-source repository, inspect it for unfamiliar scripts or binaries. Use reputable source control and restrict permissions so that malicious code cannot easily execute. Finally, run security software that can detect anomalous behaviors (like unauthorized LaunchDaemons or unexpected network connections). Together, these steps can minimize the risk of stealthy infostealers like XCSSET.
In conclusion, the new XCSSET variant underscores that developers must secure their own workflows. Even a limited outbreak can cause broad damage if an infected project propagates. By treating code repositories and build tools as sensitive assets, development teams can help prevent attacks. Staying informed about emerging threats — and following best practices for code review and patching — will be crucial to keeping Apple development environments safe.
