Particle.news
Download on the App Store
3 ARTICLES
·
2h ago

Microsoft Flags New XCSSET macOS Variant With Firefox Theft and Crypto Clipper

Microsoft describes a developer-focused macOS threat spreading through shared Xcode builds with a coordinated response across Apple and GitHub.

Image

Overview

  • Infections stem from malicious code planted in Xcode projects that executes during builds, enabling spread through shared developer files.
  • The variant expands data theft to Mozilla Firefox using a modified HackBrowserData tool to extract history, cookies, passwords, and saved cards.
  • A clipboard module watches for cryptocurrency wallet patterns and replaces copied addresses with attacker-controlled destinations to divert funds.
  • Stealth and persistence improve through LaunchDaemon entries, a fake System Settings app in temporary folders, Git-based persistence, run-only AppleScripts, and heavier obfuscation, with reports of disabled security update mechanisms on macOS.
  • Microsoft says activity is limited, has notified Apple, and is working with GitHub to remove related repositories, urging developers to keep systems updated and to inspect third-party Xcode projects before building.