The bug was discovered by Jesse Endahl and Max Bélanger, the former being the chief security officer of Mac management firm Fleetsmith, and the latter who is a staff engineer at Dropbox. According to Endahl, “We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time. By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”
This bug is said to take advantage of Apple’s Device Enrollment Program and the Mobile Device Management platform. These are tools that allows companies to customize a Mac from Apple that is then shipped directly to the company, but the flaw would allow hackers to put malware onto the computers remotely, meaning that the computer is already compromised even before the user takes it out of the box and turns it on.
The good news is that it appears that Apple has addressed the issue when they were notified by the researchers. The vulnerability was patched in macOS High Sierra 10.13.6, but devices shipped with an older build could still be vulnerable to it.