EXECUTIVE SUMMARY
Researchers uncovered a malicious campaign using spoofed Homebrew installer sites designed to replicate the official page. These fake sites tricked macOS users into executing hidden commands that installed malware alongside legitimate software. The pages looked identical to the original Homebrew site but replaced the normal installation text box with a single Copy button. This forced users to copy a pre-set command containing an additional payload, like –ClickFix– campaigns that manipulate users into pasting malicious shell commands. The deception provided attackers with an effective infection vector, exploiting user trust in official installation processes. Unlike typical supply-chain attacks on NPM or , this operation targeted Homebrew–s strong reputation and developer user base.
Analysis of the spoofed sites revealed embedded JavaScript that prevented manual text copying and forced users to use the Copy button, which triggered a POST request logging user interaction. Russian-language comments in the code marked where malicious payloads were to be inserted, suggesting the infrastructure was built for payload delivery as a service. The JavaScript also contained mechanisms for exfiltrating user data via messaging services like Telegram. Initially, the injected command section was empty, but it was later updated to include a base64-encoded payload, confirming the site–s intent to distribute malware. The same infrastructure was observed delivering Odyssey Stealer, linking this activity to a broader, commodity-style threat operation. Previous reports described similar attacks distributing Cuckoo Stealer through fake Homebrew pages, showing a recurring pattern of exploiting trusted software installation paths to compromise systems.
This campaign illustrates how even trusted software ecosystems can be exploited when user trust is abused. Developers and system administrators are prime targets since compromising their systems can expose sensitive credentials and corporate infrastructure. The continued presence of spoofed Homebrew sites for extended periods increases infection risks, showing how persistent and scalable these operations can be. The incident underscores that package managers themselves can become attack vectors, not just the software distributed through them. By mimicking familiar installation flows, attacker–s lower user suspicion and achieve rapid, widespread compromise. The campaign also reflects a broader shift toward exploiting legitimate tools and websites for malware distribution rather than relying solely on traditional continuously monitoring domain registrations and ensuring installation commands originate only from verified sources. Ongoing tracking by researchers continues to uncover additional spoofed domains, indicating that this operation remains active and adaptable within the threat landscape.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | – |
| Initial Access | T1204.003 | User Execution | Malicious Script |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Execution | T1105 | Ingress Tool Transfer | – |
| Persistence | T1547 | Boot or Logon Autostart Execution | – |
| Defense Evasion | T1562 | Impair Defenses | – |
| Collection | T1056 | Input Capture | – |
| Command & Control | T1071.001 | Application Layer Protocol | Web protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Execution | E1204 | User Execution |
| Defense Evasion | F0015.001 | Export Address Table Hooking |
| Command and Control | C0002.002 | HTTP Communication (Client) |
| Discovery | E1082.m02 | Enumerate Environment Variables |
| Collection | C0051 | Read File |
| Credential Access | F0002.002 | Keylogging (Polling) |
| Anti-Static Analysis | B0032.018 | Symbol Obfuscation |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further
https://securityonline.info/homebrew-spoofing-fake-installer-sites-use-clipboard-injection-to-compromise-macos-developers/
https://the-sequence.com/brewing-trouble-homebrew-spoofed-sites-rise