ADEX Publishes Analysis of XCSSET Malware: Research Details How Active Infection Spreads Silently Through Xcode Projects, GitHub Repositories, and Developer Credentials

News provided by

Adex

May 19, 2026, 08:36 ET

LIMASSOL, Cyprus, May 19, 2026 /PRNewswire/ -- The ADEX security team has released a detailed technical case study documenting a live XCSSET infection detected, captured, and analyzed within a client environment – an iOS app development studio whose infrastructure was suspected to be compromised.

XCSSET is a modular macOS malware family first identified in 2020 that has continued to evolve, with new injection methods documented as recently as 2025 by Microsoft. Unlike conventional malware, XCSSET does not reside in compiled applications. Instead, it embeds itself inside Xcode project files and executes the moment a developer initiates a build – with no unusual permissions, no suspicious downloads, and no alerts from the operating system.

Key findings from the ADEX investigation include:

  • Silent execution at compile time. XCSSET injects a malicious build phase script into Xcode projects. The script runs under the developer's own account, inheriting full system access without requiring elevated privileges.

  • Self-propagating supply chain risk. Once active, the malware scans the infected machine for other Xcode projects and injects itself into each one. Any developer who subsequently clones and builds an infected repository becomes a new host — no additional interaction required.

  • Broad credential and data theft. The malware extracts credentials from macOS Keychain, AWS tokens, SSH keys, Git access tokens, and advertising platform credentials. Browser sessions across Safari, Chrome, and — in the 2025 variant — Firefox are compromised. Messenger data from Telegram, WeChat, Skype, and others is also targeted.

  • Clipboard hijacking for financial fraud. Any Bitcoin or Ethereum address copied to the clipboard is silently replaced with an attacker-controlled wallet address, causing payments to reach the wrong destination while appearing legitimate to the sender.

  • Persistence and ransomware capability. XCSSET registers itself as a login item to survive reboots and ships with a ransomware module capable of encrypting files — a capability present since the malware's first documented version.

The ADEX team captured the live sample using a 100-millisecond polling loop after observing repeated short-lived osascript processes spawning from the /tmp directory – a behavioral pattern that served as the initial indicator of compromise. The sample was identified as a compiled AppleScript binary containing an obfuscated, base64-encoded payload.

The full case study is available at ADEX blog.

Media Contact
Michael Gor
97767567
[email protected]

SOURCE Adex

21%

more press release views with 
Request a Demo

Also from this source

Adex Wins Cyber Security Company of the Year at Global Business Tech Awards

Adex, the anti-fraud and traffic-quality platform within AdTech Holding, has been named Cyber Security Company of the Year, recognizing the company's ...

Adex Uncovers Abuse of Government and Education Subdomains in iGaming Ad Campaigns

Adex, the anti-fraud and traffic-quality platform within AdTech Holding, identified and disrupted advertising campaigns that were using third-level...
More Releases From This Source

Explore

Computer & Electronics

Computer & Electronics

High Tech Security

High Tech Security

Telecommunications Industry

Telecommunications Industry

Internet Technology

Internet Technology

News Releases in Similar Topics