Hackers appear to be targeting Apple developers with a backdoor that has worked its way into a shared Xcode project, SentinelOne says an external researcher alerted the company about malicious code that was tainting a development project in Xcode, Apple’s integrated development environment (IDE) for macOS.
The project, which the researchers say abuses the Run Script feature in Xcode, is a malicious version of an open-source project that’s been available on GitHub that’s intended to help developers with features in animating the iOS Tab Bar.
The attackers have made a version of the project to execute a malicious script and target a victim’s development machine with a backdoor. If they leverage the backdoor properly the attackers could record through the victim’s microphone or camera, or log keystrokes from their keyboard.
The revelation that there is malicious code taking advantage of a shared Xcode project in the wild could raise concerns about whether the attackers are interested in targeting developers in order to conduct a supply chain-based attack.
There is “no indication in the console or debugger to indicate execution” of the malicious code.There are two variants of the custom backdoor, named the backdoor as Eggshell
The way the attackers worked the Eggshell backdoor into the Xcode project in question this time could apply in other scenarios, SentinelOne researchers warned, noting they do not know the true motivation behind the exploitation
The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project,Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects.