A new Mac malware specifically crafted for Apple’s new M1 chips is circulating the web targeting Xcode developers. The threat is aimed at stealing sensitive information from cryptocurrency apps.

Registered as XCSSET, the initial version of this Mac malware was first spotted in August last year when distributed via altered Xcode IDE projects that were set to execute the malicious payload. The infection was known to decompress payload modules that mimic legitimate Mac apps which later were used to infect local Xcode projects and deploy the main malware in the project builds.

Recent research dating to March of this year has revealed that XCSSET has new samples specifically crafted for the Apple new M1 chips. This indicates that the malware creators are actively working on adapting their malicious modules for natively running on the Apple Silicon Macs.

The malicious modules of XCSSET come with different capabilities, including theft of sensitive information, screenshots capturing, malicious JavaScript code insertion into websites, user data extraction, and even file encryption.

The latest details on the XCSSET samples show that the malware is targeting Safari’s development version and planting JavaScript backdoors onto websites through the use of Universal Cross-site Scripting (UXSS) attacks.

Aside from Safari, other browsers such as Google Chrome, Brave, Microsoft Edge, Mozilla Firefox, Opera, and others are also being exploited by the malware to carry out UXSS attacks.

A new feature allows XCSSET to harvest account data from different websites, including from some popular cryptocurrency trading platforms, and replace the address in the users’ crypto-currency wallet with an attacker-controlled one.

Security professionals are warning that the ability of SCSSET to spread via infected Xcode projects may lead to a chain-like attack because developers who unknowingly share their compromised Xcode projects with users could spread the malware further.