Included in these documents are projects such as "Sonic Screwdriver", among others. Explained by the CIA, this project is a "mechanism for executing code on peripheral devices while a mac laptop or desktop is booting" allowing an attacker to boot its attack software, as an example, from a USB stick, "even when a firmware password is enabled". The Sonic Screwdriver infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
DARK SEA SKIES
"DarkSeaSkies" is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.
TRITON, DARK MALLET, DERSTAKE1.4
Documents included on the "Triton" MacOSX malware, it's infector "Dark mallet" and it's EFI-persistent version "DerStake" can also be found in this release. DerStake1.4 manual released today dates to 2013, other Vault 7 documents display that as of 2016 the CIA is continuing to rely on and update these systems. The production of DerStake2.0 is currently taking place.
The release also contains the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool", for the Apple iPhone. Note that NightSkies reached 1.2 by 2008 and is expressly designed to be physically installed onto factory restored phones. The iPhone supply chain is targeted and has been infected by the CIA since 2008.
While in the custody of a target, CIA assets are sometimes used to physically infect systems. It is very likely that many CIA physical access attacks have infected the targeted organization's supply chain by interdicting mail orders and other shipments. Meaning to open, infect and resend which then leaves the United States or otherwise.