User profile for user: Ikalash762
Ikalash762 Author
User level: Level 1
4 points

Suspicious unknown folders and files appear in the cloud.

Suspicious unknown folders and files appear in the iCloud root directory.

Folders contain python (.py) source files.

I recently programmed in Python in the PyCharm development environment, but these files have a completely unknown origin.

I did not find any unknown devices linked to the account.

There was no other abnormal activity, including reports of third parties logging into the account.

How could this happen, any ideas?

Versions of unauthorized access through vulnerabilities in Apple devices have a right to exist?

MacBook Pro 14″, macOS 15.5

Posted on Jun 15, 2025 6:33 AM

Reply
Question marked as Top-ranking reply
User profile for user: Mac Jim ID
Mac Jim ID
Community+ 2026
User level: Level 9
78,712 points

Posted on Jun 15, 2025 9:12 AM

  • If a Python script installed Malware, it would be seen in one of these 3 folders and also require that you entered your Administrator Password:

/Library/LaunchDaemons

/Library/LaunchAgents

~/Library/LaunchAgents


  • If you did give Python access to your training files in iCloud, it can certainly install files/folders in the root directory without any further authorization on your part. Authorization has already been given. You can turn off Python access to iCloud at  > System Settings > [name on top] > iCloud > See All. Also on the iCloud screen, tap Drive, then review Apps syncing to iCloud Drive.


  • Malicious Python scripts can also ask for your Apple Account password and send it to a third party. If that was the case, the person that has your Apple Account password can add files to your iCloud Drive. This would not have anything to do with your Mac being compromised, but certainly your Apple Account would be. Changing the Apple Account password is all that would be needed to prevent further access.


  • As for viruses being installed by just clicking a link, that is not true although certainly would be told to you by an Antivirus company. First, viruses cannot be installed on a Mac because there is no access to the System files that are locked on a read only partition of the Hard Drive. A virus refers to a self propagating process that spreads across system files and other devices and is not possible. It may be a semantic difference in the use of the word "virus" to scare you, because certainly Malware can be installed on a Mac, and that would require you to enter your Administrator Password to install it and will not happen automatically by clicking a link. Malware is installed in one of the 3 folders listed above so it can run on startup.


  • A Trojan would be an app that you installed, and could have come from a python script, that was meant to do one thing but does something else. This app/script would then be set to run on startup in your Login Settings. For example, it may have been told to you that it simply displays the time in a window on your Desktop, but actually sends Notification that will appear on your Mac that claims you have a virus and suggest you install some software to prevent it.
View in context

Similar questions

4 replies
Question marked as Top-ranking reply
User profile for user: Mac Jim ID
Mac Jim ID
Community+ 2026
User level: Level 9
78,712 points

Jun 15, 2025 9:12 AM in response to Ikalash762

  • If a Python script installed Malware, it would be seen in one of these 3 folders and also require that you entered your Administrator Password:

/Library/LaunchDaemons

/Library/LaunchAgents

~/Library/LaunchAgents


  • If you did give Python access to your training files in iCloud, it can certainly install files/folders in the root directory without any further authorization on your part. Authorization has already been given. You can turn off Python access to iCloud at  > System Settings > [name on top] > iCloud > See All. Also on the iCloud screen, tap Drive, then review Apps syncing to iCloud Drive.


  • Malicious Python scripts can also ask for your Apple Account password and send it to a third party. If that was the case, the person that has your Apple Account password can add files to your iCloud Drive. This would not have anything to do with your Mac being compromised, but certainly your Apple Account would be. Changing the Apple Account password is all that would be needed to prevent further access.


  • As for viruses being installed by just clicking a link, that is not true although certainly would be told to you by an Antivirus company. First, viruses cannot be installed on a Mac because there is no access to the System files that are locked on a read only partition of the Hard Drive. A virus refers to a self propagating process that spreads across system files and other devices and is not possible. It may be a semantic difference in the use of the word "virus" to scare you, because certainly Malware can be installed on a Mac, and that would require you to enter your Administrator Password to install it and will not happen automatically by clicking a link. Malware is installed in one of the 3 folders listed above so it can run on startup.


  • A Trojan would be an app that you installed, and could have come from a python script, that was meant to do one thing but does something else. This app/script would then be set to run on startup in your Login Settings. For example, it may have been told to you that it simply displays the time in a window on your Desktop, but actually sends Notification that will appear on your Mac that claims you have a virus and suggest you install some software to prevent it.
Reply
User profile for user: Ikalash762
Ikalash762 Author
User level: Level 1
4 points

Jun 15, 2025 8:10 AM in response to Richard.Taylor

Thanks for the response, I realized that PyCharm did something to bypass my actions, really having access to some folders in iCloud, since my training projects are stored in a folder that syncs with iCloud.

The antivirus system also did not find anything suspicious, although antivirus manufacturers say that to infect devices (including the Apple brand), you just need to follow the link to get a virus to the device through open vulnerabilities.

Do you think I need to do a full system reset to factory defaults with a reinstallation of Mac OS to avoid future threats?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Suspicious unknown folders and files appear in the cloud.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up