New macOS malware XcodeSpy found sneaking into spy on victims

According to researchers, XcodeSpy malware is targeting Xcode Developers in a supply-check attack.
New macOS malware XcodeSpy Targets Xcode Developers

According to researchers, XcodeSpy malware is targeting Xcode Developers in a supply-check attack.




The commonly known secure MacOS has been infiltrated by malware again that has been used by unknown threat actors to target developers who use Xcode integrated development environment (IDE).

Threat actors have recently started making malicious versions of popular projects in the hopes of luring developers to include them in their applications. When these applications are compiled, the malicious component will infect their computer in a supply-chain attack

The malware, named XcodeSpy, was disguised to deliver a custom variant of a backdoor known as EggShell which allows its operators to spy on users and it was discovered by the IT security researchers at SentinelOne on Thursday.

This backdoor can also give the threat actors access to upload and download files, capture data from the victim’s camera, microphone, and keyboard. 

SentinelOne’s report states that they got to know about the malware from an anonymous researcher but the company did also come across XcodeSpy back in late 2020 targeting an organization in the US.

SentinelOne was informed by the victim that it is being regularly targeted by threat actors linked to North Korea and they came across it while conducting threat hunting activities. 




There has been cross-referenced evidence found that states how the campaign involving XcodeSpy was active at least between July and October 2020. The malware was also once delivered as a trojanized version of an open-source Xcode project offered to iOS developers.

The company has not yet found any other trojanized Xcode projects but believes that other similar malicious projects could exist. 

Additionally, researchers believe that since this is not the first piece of malware that has been created to target Xcode developers, it is highly likely that another one would resurface again until the threat actors are brought to light.

Back in 2015, a similar threat named XcodeGhost allowed attackers to inject malicious code into hundreds of legitimate applications which used rogue versions of Xcode that developers downloaded from third-party websites.

It is possible that XcodeSpy may have been targeted at a specific developer or group but there are other potential scenarios with such high-value victims. 




Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

1 comment
  1. thank you. I’ve been trying to find out what has been ruining my life and making me hate tech. this article and the one on blackrock gives me a direction finally. i have been trying to figure out this monkey on my back tossing shit at all devices all day everyday since late summer last year. might not be my intruder but the 1st time i seen anything on the specific ways the programs work which i can’t wait to rub inLG, Norton, Verizon, Apple, My x, and some friends that said a thing like this wasn’t possible. If it snot one of these i will keep browsing you site to see if u get closer or if i figure this thing out. Apple needs to be ware though. what i got going on uses their handy device communication to spread. did apple id or none logged, it don’t care. droid or apple , phone or poor mac . It spreads live the china virus

Comments are closed.

Related Posts