u/RSPJD

(I'm not in security but I + Claude code seem to think this is malicious would like community opinions. Not posting some of the raw contents, mainly the blobs, because of Reddit's aggressive post filtering / deletion)

I was reviewing a PR from a contributor on an iOS repo where the bulk of the diff was a plausible SwiftUI feature, but the project.pbxproj had edits I can't explain as legitimate:

• Added a PBXBuildRule that matches *.md and runs a shell script
• Added a README.m d reference to the Resources build phase (the file doesn't actually exist in the PR — it just exists to trigger the rule)
• Added a new build setting holding a triple-base64 blob
• Flipped ENABLE_USER_SCRIPT_SANDBOXING from YES to NO in three build configurations

I decoded the three blobs, they're all one-liners that POSTs a campaign tag (p=xcode_rule) to a .ru C2 endpoint with curl -fkLs and pipes the response into a shell, wrapped in a backgrounded subshell to stay silent.

Claude code defined this as: Classic stage-1 dropper.

 I've revoked the contributor's write access and the PR isn't getting merged. Want a sanity check that I'm reading this right and that it's a build-time dropper aimed at Apple signing material / dev-machine

[ Removed by Reddit on account of violating the content policy. ]

One of the newer features seems to be preferCache and the documentation (Swift) says this:

/// default policy tries to fetch from cache if fetch is within the revalidationInterval.
/// If fetch is outside revalidationInterval it revalidates / refreshes from the server.
/// Throws if server revalidation fails   
/// Callers may call with `cacheOnly` policy to fetch data (if present) outside   
/// revalidationInterval from cache.   
/// revalidationInterval is specified as part of the query YAML config using   
/// `client-cache.revalidateAfter` key

I've searched the entire SQLConnect documentation and don't see extra details about where this query YAML goes exactly. If anyone can shed any light on this I'd be grateful.

My fav part about development used to be UI/UX.. and of course I still enjoy since it's such an essential part of getting users. But lately I'm obsessed with profiling my app and monitoring the graph there. My routine is wake up, have some hot beverage and look at my performance metrics while I sip. What has become of me? Someone tell me I'm not the only one!