I can be apple and so can you by Josh Pitts from Okta REX Team

In Summary :

• A bypass found in third party developers’ interpretation of code signing API allowed for unsigned malicious code to appear to be signed by Apple.
• Known affected vendors and open source projects have been notified and patches are available.
• However, more third party security, forensics, and incident response tools that use the official code signing APIs are possibly affected.
• Developers are responsible for using the code signing API properly, POCs are released to help developers test their own code.
• The bypass affects Fat/Universal file format and the lack of verification of nested formats.
• Affects only macOS and older versions of OSX. [...]

kindly refer the following link as follow up :
https://ift.tt/2MmWHjF