[fomine3]

Is Malicious code committed to git repo, rather than only compiled binary?

I suspect that attacker thought that Xcode project contains some binary/text blobs so hard to notice it.

[jayyhu]

Indeed, the project's compiled binary doesn't contain malicious code, but the act of compiling the project causes the malicious code (which is just a binary blob) to execute and infect the system.