Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX, was also capable of infecting macOS systems. Believed to be the first "chained" supply chain attack (where initial access to 3CX was gained via a separate supply chain attack), this talk will focus on its macOS payloads. To start, we will analyze the implant installed by the attackers to maintain persistent access to 3CX's macOS build server.