XCSSET is a trojan targeting macOS, first discovered in 2020. XCSSET is a sophisticated macOS malware that infects Xcode developer projects. When a developer builds an infected project, the malware executes and can steal browser cookies, inject JavaScript into Safari, screenshot the desktop, and exfiltrate files. It spreads developer-to-developer as infected projects are shared via GitHub. CoreLock detects this threat using CoreLock detects XCSSET through Xcode project file analysis scanning for injected build phases, behavioral monitoring of unauthorized Safari manipulation, YARA rules targeting known XCSSET module signatures, and network detection of data exfiltration during build processes.
Also known as: OSX.XCSSET, Xcode Malware
XCSSET is a sophisticated macOS malware that infects Xcode developer projects. When a developer builds an infected project, the malware executes and can steal browser cookies, inject JavaScript into Safari, screenshot the desktop, and exfiltrate files. It spreads developer-to-developer as infected projects are shared via GitHub.
Infected Xcode projects shared on GitHub repositories
Developer-to-developer transmission when sharing project files
Modified Xcode build settings that execute malware during compilation
Trojanized open-source libraries imported as project dependencies
Modified build settings in .xcodeproj files you did not change
Unexpected network connections during Xcode builds
Safari extensions or data you did not install
Screenshots being taken without your knowledge (check ~/Library)
Check the build phase scripts in all your Xcode projects. XCSSET injects a malicious Run Script phase that executes during builds. Look for unfamiliar scripts referencing /tmp or hidden directories.
Delete the injected build scripts and any related files in your project directories. Compare your .xcodeproj files against clean versions from version control.
XCSSET targets Safari cookies and can inject JavaScript. Clear Safari data, remove unknown extensions, and reset browser settings to defaults.
Delete any LaunchAgents or cron jobs created by the malware. Check ~/Library for unusual files or directories created around the time you opened the infected project.
Run a CoreLock scan to detect any remaining XCSSET modules including its screenshot, keylogging, and data exfiltration components.
Audit Xcode projects from external sources before building them
Review build phase scripts in any shared or forked project
Use git diff to inspect changes in .xcodeproj files before committing
Enable CoreLock's developer mode to monitor Xcode build processes for injection attacks
Real-time Detection
CoreLock detects XCSSET through Xcode project file analysis scanning for injected build phases, behavioral monitoring of unauthorized Safari manipulation, YARA rules targeting known XCSSET module signatures, and network detection of data exfiltration during build processes.
Trojan — Silver Sparrow was a mysterious macOS malware discovered on nearly 30,000 Macs a...
Trojan — Lazarus Group is a North Korean state-sponsored APT that has increasingly target...
Trojan — RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Ko...
XCSSET primarily targets developers through Xcode projects. If you do not use Xcode or build code from external sources, your risk is low. However, applications built from infected projects could contain the malware, so end users can be indirectly affected.
XCSSET modifies the build settings in .xcodeproj files, adding a malicious Run Script build phase. When the project is compiled, this script executes the malware. The infection persists in the project file, so anyone who builds the project gets infected.
XCSSET can steal Safari cookies and passwords, take screenshots, access Evernote data, exfiltrate files, inject JavaScript into web pages for phishing, and encrypt files for ransom. It is a modular framework with multiple payload capabilities.
Download CoreLock to detect and remove XCSSET and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows