Security researchers have uncovered a new type of macOS malware that has been used in the wild to attack iOS software developers through trojanised Xcode projects.

Dubbed XcodeSpy, the malware consists of a malicious Run Script that was added to a legitimate Xcode project named TabBarInteraction.

Security firm SentinelOne, which analysed the malware in a report published today said the malicious script ran every time the Xcode project was built, installing a LaunchAgent for reboot persistence and then downloading a second payload, a macOS backdoor named EggShell.

SentinelOne macOS malware researcher Phil Stokes at said that the backdoor has functionality for recording the victim's microphone, camera and keyboard, as well as the ability to upload and download files.
While the XcodeSpy server infrastructure that controlled the LaunchAgent was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner.

Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company.

Apparently the victims complain that they are always targeted by North Korean spooks and and the infection came to light as part of their regular threat hunting activities.