[City, State] — [Date] — Adex has published a first-hand investigation into an active XCSSET malware infection targeting macOS developer pipelines, revealing how the malware hides inside Xcode project build files and spreads through developer workflows.
The investigation examined a live infection on a macOS workstation used for iOS development. Adex found that XCSSET was not embedded in a final application, but inside Xcode project configuration files known as project.pbxproj files. These files control build instructions in Xcode, Apple’s official development environment for macOS, iOS, iPadOS, watchOS, and tvOS applications.
XCSSET is a modular macOS malware family first identified in 2020. It is distributed through compromised Xcode projects and triggered when a developer builds the project. Once activated, the malware can harvest credentials, collect browser session data, manipulate cryptocurrency wallet addresses copied to the clipboard, establish persistence, and infect other Xcode projects on the same machine.
During the investigation, Adex identified repeated osascript executions from /tmp/jl, a temporary file that disappeared almost immediately after running. The team captured the file and found that it was a compiled AppleScript containing obfuscated payloads. After decoding the payload, Adex found that the malware collected system information and contacted the command-and-control domain riggletoy.ru.
Adex also found that the malware had modified more than 20 Xcode projects on the affected workstation. The projects were changed within the same minute, indicating automated propagation across the machine. The investigation further identified persistence mechanisms, including a fake Launchpad.app placed in a user cache directory, as well as possible launch agents, shell profile injections, and git hooks.
The report explains that cleaning individual Xcode projects is not enough if the persistence layer remains active. According to Adex, remediation should begin by removing all autostart points, including fake application files, rogue launch agents, shell profile injections, and git hooks. The system should then be rebooted before restoring Xcode projects from a known-clean git state.
Adex’s investigation also reviewed public GitHub repositories and identified 24 repositories containing XCSSET payload chains. Examples included PrinceMittal1/DemoForAuthFlow, zzzznick/dummy-ios, and dvillegastech/ReaxBD. Several repositories had recent activity, with some committed in 2026. The report also highlighted command-and-control domains including riggletoy.ru and netcdndev.in, with netcdndev.in described as a domain not previously found in public indicator lists at the time of the investigation.
Adex recommends that developers manually inspect Xcode build phases before opening or building unfamiliar projects, monitor project.pbxproj files in version control, check global git hooks, keep System Integrity Protection enabled, and use outbound firewall and persistence-monitoring tools.
For organizations, the report recommends behavioral endpoint detection on developer machines, regular auditing of third-party SDKs and dependencies, mobile device management controls, monitoring of launch agents and git hook settings, and regular rotation of API tokens. Any token stored on a compromised developer machine should be treated as exposed.
The full report positions XCSSET as a supply-chain threat because it targets the trusted relationship between developers, repositories, build systems, and downstream software users. Its effectiveness depends on hiding in build files that are commonly shared but rarely reviewed manually.
About Adex
Adex is a cybersecurity and fraud-prevention company focused on identifying, analyzing, and disrupting threats that affect digital businesses, developer environments, and advertising ecosystems. The company investigates malware, fraud infrastructure, account compromise, and supply-chain risks to help organizations detect exposure, strengthen defenses, and respond to active threats.
