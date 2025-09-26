Augmented browser targeting and persistence, as well as clipboard takeover capabilities, have been integrated into the updated version of the XCSSET macOS malware deployed in limited intrusions, BleepingComputer reports.

Apart from originally targeting Xcode projects, the new XCSSET macOS malware variant injects a modified HackBrowserData tool to facilitate Firefox browser exfiltration, as well as a clipboard hijacking mechanism to track cryptocurrency address-related patterns in the macOS clipboard and pilfer cryptocurrency to an attacker-controlled address, according to Microsoft Threat Intelligence researchers.

Additional findings showed the malware's creation of ~/.root payload-executing and bogus System Settings.app-establishing LaunchDaemon entries for persistence and stealth. Both Apple and GitHub have already been informed about the threat, which should prompt developers to ensure the implementation of up-to-date macOS and app versions.

Thorough inspections of Xcode projects, particularly those shared by others, should also be conducted before they are built, said Microsoft.