This whole thing is super fishy. From Trend Micro's technical brief:
We have found two Xcode projects infected by the malware from researching online. One happened on July 13 and the other on July 31. Fortunately, these projects are not too relevant for other users to download and integrate these into their own projects. Still, this proves how dangerous the XCSSET malware could be for developers.
This is really the definition of FUD, no?
So out of the millions of users on GitHub and trillions of lines of code, Trend Micro found just 2 repos with Mac malware?
No self-respecting developer is going to ever use these two repos in the first place. Developers use projects with good documentation that serve an actual need.
Occam's razor more likely says they found malware authors posting to GitHub. A conspiracy theorist might even say they perhaps planted it themselves.
And why are these repos even still active? Malware is against GH's TOS. If Trend Micro actually cared, they'd report these repos as nefarious. Otherwise they have little proof as reporting anything.
And on the linked page:
To protect systems from this type of threat, users should only download apps from official and legitimate marketplaces. Users can also consider multilayered security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multidevice protection against cyberthreats. Enterprises can take advantage of Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of
Alerting users to security threats is one thing. Hawking your products at the exact same time is a little desperate IMO.