Cybersecurity Threat Advisory 0017-21: MacOS Malware XcodeSpy

Threat Update

A malicious version of the macOS development environment Xcode has been spotted in the wild. Dubbed “XcodeSpy,” its main function is to use a custom Run Script to connect to a C&C server when a compromised application is launched. This will download a version of the “EggShell” backdoor and function as a trojan. A compromised device would allow an attacker to access all files on the device as well as to the keyboard, webcam, and microphone. It is recommended at this time that any Xcode developers avoid downloading untrusted projects, and a script to check for compromised projects has been provided in the recommendations for this advisory.

Technical Detail & Additional Information


Xcode, the integrated development environment for macOS, has been the newly chosen vehicle for a supply chain attack with Apple devices. A compromised version of Xcode has been detected in the wild that contains trojan components and can be used to compromise any software that is developed with this unknowingly malicious variant of Xcode. Dubbed “XcodeSpy”, the compromised version of Xcode runs a deliberately obfuscated Run Script in order to install a variant of the backdoor known as “EggShell” when the developer’s application is launched. The Run Script (when launched) will connect to an attacker-controlled command and control (C&C) server and download EggShell, which will then allow the threat actor access to many facets of the compromised device such as the microphone, camera and keyboard, as well as the ability to both upload and download files.


With the massive supply chain attack targeted at SolarWinds in recent memory, supply chain attacks have been given an increasingly large spotlight in the security landscape. An application developed with this compromised version of Xcode could results in a similar fallout if an application were developed using it and distributed in vast quantity. It is also possible in this case that the “target(s)” (if there are any) of this attack are the developers of the application themselves, and not the users of the developed applications. If a compromised application in development is ran by one of the developers, that device would also be compromised. This is not to say that there are obvious targets for XcodeSpy’s at this time, but unlikely a typical supply chain attack the trojan-ized nature of XcodeSpy also presents a risk to the developers of applications as well as the consumer.


Any build of any application that is run by a version of Xcode compromised by XcodeSpy will infect the executing device with the EggShell backdoor. This allows the exfiltration of sensitive user information that can be collected in various ways such as by using the microphone, recording keystrokes, or using a built-in camera. The backdoor also allows the malicious actor to upload or download any file to or from the device, allowing further compromise with additional malware. As previously mentioned, because any device that runs a compromised application built with XcodeSpy will be at risk this threat affects both the developers of the application and any consumer that may use it as well. This means that a compromised development machine can be at risk of allowing lateral movement into an entire developer organization as easily as a compromised consumer machine can do the same.


Given that XcodeSpy has been seen being distributed predominantly through compromised Xcode projects, any person seeking openly shared Xcode projects should be cautious about the disposition of the projects they download. Dissemination of compromised projects has been seen on popular sharing sites such as GitHub, and it is highly recommended that you only view or run projects from well known sources. It is also possible to search for any Run Scripts that take place in the “Build Phases” part of an Xcode project by running the command below:

  • find . -name “project.pbxproj” -print0 | xargs -0 awk ‘/shellScript/ && /eval/{print “\033[37m” $0 “\033[31m” FILENAME}’

This will return a Run Script in the Build Phase that contains either of the strings “shellScript” or “eval” and print the script as well as the file name that contains it. While the process is manual, it is the best course of action for determining a compromised build at this time.


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.