XCSSET malware on Macs?

Ok I know that LifeHacker may not be top tech, but I’m curious what folks make of this post: https://lifehacker.com/what-mac-users-should-know-about-the-new-xcsset-malware-1844753744 I confess that it made me a little nervous.

XCSSET is installed via a trojan that hides in Xcode projects.

Unless there’s some other vector, most users will never do this, so I think you’re safe.

I download recommended things but have no idea if Xcode is involved or not. That’s what has me worrying.

The threat exploits 0days & infects Xcode projects, but has minimal spread. The two Xcode projects they found infected on Github were:

  • ragulSimpragma/twitterTask
  • yimao009/MVC-MVP-MVVM

Nothing popular, nothing other devs would include in their apps. Spread is minimal in the wild, Trend Micro reported its findings to Apple, and the company is working on pushing out an update that would mitigate the Data Vault-related flaw. So no worries for now, and it will get patched (sooner than later, one hopes).

I use Objective-See’s free and open-source BlockBlock, which picks up background daemon tasks that suddenly are created and allows you to block them immediately. Would be useful in such a situation.


Thanks. I’m reassured. :slight_smile:

+1 recommendation to use BlockBlock.

1 Like

Just installed BlockBlock. Great recommendation +1

It’s a useful and powerful utility. But be prepared to have to give approval to installs with every Mac App Store app that gets downloaded or updated. (Don’t worry, with approval there’s a checkbox you can set it to remember each updated app so you won’t be asked again.)


I’ve installed blockblock some time ago, and it still surprises me sometimes with notifications. Did not think of recommending it here though. It just does what it has to and stays out of your way so I forgot :slight_smile: thanks @tjluoma

FYI the latest episode of the Intego Mac Security podcast has a good overview on this malware. They point out that the use of 0-day bugs indicates that this was created by a well-funded entity, meaning probably a nation-state. Meaning we’re probably not the targets.

Hah somehow that doesn’t make me feel better. :sweat_smile:

0-days are rare, expensive and lose their value when identified and patched. Sometimes an 0-day that is discovered by a scammer and pushed out fast to grab as much $$ as quickly as possible before it gets duplicated by other scammers then shut down - but that didn’t happen here. So it’s almost certainly a tool of a major nation-state, the usual suspects being USA, Russia, China, Pakistan, Iran, Israel, and North Korea (though NK tends to go for the cash).

1 Like