The post says that bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com. According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple’s iCloud domain.
ZDNet says it’s reached out to Apple for comment and “will update when we hear back.”
After observing the malware for over a week, however, security firm Red Canary did not observe any final payload, so the exact threat to users remains a mystery. Apple has since informed MacRumors that it has revoked the certificates of the developer accounts used to sign the packages, preventing additional Macs from being infected. Apple also reiterated that Red Canary found no evidence to suggest the malware has delivered a malicious payload to Macs that have already been infected.