Overview

• XCSSET continues to propagate through booby-trapped Xcode projects that execute the malware during builds, making developers a primary target.
• The latest variant introduces a clipboard clipper that detects cryptocurrency wallet patterns and swaps in attacker-controlled addresses.
• A new Firefox-focused info-stealer uses a modified HackBrowserData build to extract passwords, cookies, history and stored card details.
• Persistence and stealth now include a LaunchDaemon that runs a hidden ~/.root payload, a fake System Settings app, encryption and run-only AppleScripts, and attempts to disable macOS automatic updates and Rapid Security Response.
• Microsoft says observed activity remains limited and has shared findings with Apple while working with GitHub to remove malicious repositories, urging users to inspect Xcode projects, keep macOS updated, use endpoint defenses, and double-check clipboard contents before transactions.