A dependency manager for Swift and Objective-C Cocoa projects, CocoaPods has more than 82,000 libraries and is being used in over 3 million applications. The tool is built using Ruby and can be used with the default Ruby on macOS.

The identified vulnerability, Justicz explains, resides in a function designed to check that, when a package spec was uploaded to CocoaPods, it was not linking to a private repository.

In short: the manner in which the function checked the contents of a flag could have allowed an attacker to serve tailored content and abuse it to run commands.