In September 2025, Kandji’s security researchers uncovered a sophisticated campaign in which attackers deployed multiple spoofed Homebrew installer sites that perfectly mimic the official brew.sh page.
These counterfeit domains served a hidden malicious payload under the guise of the standard Homebrew installation script. This exposé delves into the tactics, infrastructure, and impact of this alarming trend.
Package managers have become a favorite target for supply-chain compromise over the past few years, with high-profile incidents involving NPM typosquatting and PyPI malicious packages dominating headlines.
Homebrew, the most widely used package manager on macOS, had remained unscathed until now—an oasis of stability amidst a storm of ecosystem compromises.
A quick web search for “Homebrew compromise” yields no recent incidents, unlike the deluge of articles on the Shai-Hulud package worm affecting NPM users. Yet threat actors have adapted, shifting to a different approach that targets end users directly by cloning the Homebrew website itself.
In just one week, Kandji analysts discovered four malicious domains—such as homebrewoneline[.]org—resolving to the IP address 38[.]146[.]27[.]144. Each domain presented a flawless carbon copy of the Homebrew homepage.
Unlike the real site, however, these replicas restricted all text selection and copying within the install command block, funneling victims into using a single “Copy” button that surreptitiously loaded an attacker-injected command into the clipboard.
Anatomy of the Attack
At the heart of the spoofed sites lies a snippet of embedded JavaScript that locks down the installation instructions and substitutes the user’s clipboard content.
When visitors click the Copy button, the script triggers the copyInstallCommand() function, which writes a hidden command to the clipboard before executing the legitimate Homebrew install line.
Simultaneously, a fetch request is sent to notify.php, logging metadata such as the click time and user environment. Russian-language comments within the code reveal placeholders for base64-encoded payloads and even suggest exfiltration endpoints like Telegram.
This modular design hints at a commodity-style operation, enabling the attacker to swap in different payloads at will.
Rather than relying on a single infection, the infrastructure also served the Odyssey Stealer in parallel, effectively combining credential theft with persistent malware implant.
Screenshots of both the authentic Homebrew install page and its spoofed counterpart highlight the only visual difference: the absence of manual copy functionality.
The true danger, however, lies in the unseen extra line in the clipboard, pulled into the victim’s terminal without their knowledge.
Mitigations
This campaign underscores a critical lesson for macOS developers and administrators: supply-chain security extends beyond packages to encompass the very tools that manage them. Developers often install Homebrew once and assume it remains trustworthy.
In reality, attackers can weaponize convenience by luring users to clone sites. To guard against such vectors, users should always verify install commands against trusted sources and avoid pasting shell snippets from unverified webpages.
Confirm the domain (brew.sh) and examine the clipboard contents before executing any command. Enterprise defenses should include endpoint monitoring that flags unexpected fetch calls or base64-encoded payloads triggered during installation.
Kandji Threat Intelligence continues to scour the internet for new spoofed domains, cataloging dozens more in a public repository maintained by Mikhail Kasimov.
By integrating these IOCs into security tooling and educating end users on safe installation practices, organizations can reduce their exposure to this emerging threat. As package-manager-based malware evolves, vigilance in verifying both package sources and installer sites remains the most effective defense.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
