
The malware exploited vulnerabilities in Xcode, via malicious projects, so it exclusively targeted software developers.
On Monday, researchers with Jamf, a security provider for Apple enterprise users, said that XCSSET has been exploiting a zeroday that had gone undetected until recently. The vulnerability resided in the Transparency Consent and Control framework, which requires explicit user permission before an installed app can obtain system permissions to access the hard drive, microphone, camera, and other privacy- and security-sensitive resources.Full details at ARS Technica.
XCSSET had been exploiting the vulnerability so it could bypass TCC protections and take screenshots without requiring user permission. Apple fixed CVE-2021-30713 (as the vulnerability is tracked) on Monday with the release of macOS 11.4.