ADEX traced a live macOS infection from one strange process to a larger supply-chain threat moving through Apple developer tools. The case centered on XCSSET, a malware family that hides inside Xcode project files rather than finished apps, waiting for a developer to build a project and trigger the payload.
The Clue That Started the Case
The first sign was small but odd: repeated osascript activity running from /tmp/jl. AppleScript itself is a normal macOS tool, but the location mattered. The /tmp directory is a temporary space, not a place where clean software should keep relaunching short-lived scripts with large encoded arguments.
ADEX copied the file before it disappeared. Once captured, /tmp/jl turned out to be a compiled AppleScript. Its contents were packed under layers of base64 encoding, a common way for malware to hide its next move from quick inspection.
After decoding, the sample revealed a shell script that gathered system details. It collected the username, locale, macOS version, CPU type, System Integrity Protection status, Mac serial number, and Chrome-related data. The information was sent to riggletoy.ru, a command-and-control domain that ADEX said was not appearing in public threat feeds at the time. A second domain, netcdndev.in – found later in the GitHub portion of the investigation — was also absent from any public indicator-of-compromise list.
A Build File Became the Doorway
XCSSET’s danger comes from its hiding place. Xcode projects contain project.pbxproj files, which tell Apple’s development software what to run during a build. A malicious script placed there can run under the developer’s own account when the project is compiled.
That makes the attack quiet. No strange installer is needed. No obvious app icon appears. A developer may clone a project from GitHub, open it in Xcode, press Build, and give the malware the moment it needs.
The infection then looks for other Xcode projects on the machine. ADEX found more than 20 altered projects on the affected workstation, all changed within the same minute. That timing pointed to an automated sweep, not a human edit. One infected workstation had already become a staging point for further spread.
Persistence Was the Real Problem
Cleaning one project would not solve the case. ADEX found a fake Launchpad.app buried in a user cache folder, while the real Launchpad lives in /System/Applications/Launchpad.app. That detail matched a known “dock method,” where malware redirects a Dock icon so a user opens both the real app and the hidden payload without noticing.
The report described additional persistence routes, including launch agents, shell profile changes, and git hooks. The lesson was plain: the infected projects were symptoms. The mechanism keeping the infection alive had to be removed first.
ADEX’s cleanup order was strict. Remove the autostart points, reboot, then restore Xcode projects from a clean git state. Reversing that order risks letting the malware rewrite cleaned files again.
GitHub Showed the Wider Trail
The investigation moved from one machine to public repositories. ADEX reported 24 GitHub repositories containing XCSSET payload chains. Among the examples were PrinceMittal1/DemoForAuthFlow, zzzznick/dummy-ios, and dvillegastech/ReaxBD.
One repository, usamajaved357/Breezy, used riggletoy.ru, the same domain seen in the live sample. Another, xiaoyouPrince/XYDevTool, used netcdndev.In a domain ADEX described as absent from the public indicator-of-compromise list at the time of inspection, indicating the operators are rotating infrastructure faster than public threat feeds can track it. Twelve of the 24 repositories received commits in 2026, with the most recent just one day before inspection – several repositories had 2026 activity, suggesting the campaign was still moving through shared code.
The numbers matter because developer trust is part of the attack path. Xcode project files are often treated as routine plumbing, less visible than source code or dependencies. XCSSET abuses that habit.
The Risk for Apple Developers
The direct target is not the App Store user. The target is the person building software, along with the credentials, browser sessions, repositories, and tokens stored on that machine.
XCSSET can pull data from browsers, Keychain, and configuration files — including cloud keys, AWS tokens, SSH keys, and Git credentials — replace copied Bitcoin or Ethereum wallet addresses, and alter browser behavior through injected JavaScript code. For a software team, that means one compromised Mac can put source code, accounts, and downstream projects at risk.
The practical defense begins before the build button. Developers should inspect unfamiliar Xcode build phases and keep project.pbxproj files in version control, watch global git hooks, keep System Integrity Protection on, and monitor unexpected outbound traffic. Security teams should treat developer laptops as part of the supply chain, not ordinary endpoints.
