A malicious Google search advertisement impersonating the Homebrew package manager has been distributing a macOS infostealer named MacSync to developer workstations. The campaign exploits the fact that many macOS users — particularly developers new to the platform — find and install Homebrew via a Google search rather than directly accessing the official brew.sh domain, making them susceptible to a well-placed malicious advertisement that appears at the top of search results.
The Attack Chain
The malicious Google advertisement appeared alongside legitimate search results for queries including “homebrew mac”, “install homebrew”, and “homebrew package manager”. The advertisement displayed a domain closely resembling the official Homebrew site. Victims who clicked the advertisement were directed to a convincing clone of the brew.sh website where they were invited to run the standard Homebrew installation command — a curl pipe to bash invocation — modified to fetch the MacSync payload alongside (and as a decoy for) a genuine Homebrew installation.
The MacSync payload is packaged as a macOS disk image (.dmg) disguised as the Homebrew installer. After execution, it:
- Installs functional Homebrew to maintain the deception and avoid immediate suspicion
- Escalates to gather system information and establish persistence via a LaunchAgent in
~/Library/LaunchAgents/ - Harvests browser credential databases from Chrome, Brave, Firefox, and Safari (including iCloud Keychain-backed Safari passwords if the user grants the required permissions or the malware exploits a local macOS authorisation bypass)
- Collects macOS Keychain items accessible without additional authentication
- Targets cryptocurrency wallet files from common desktop wallet applications including Ledger Live, Exodus, and MetaMask’s local storage
- Exfiltrates collected data via HTTPS to attacker-controlled infrastructure
The payload is unsigned and not notarised by Apple, meaning it should trigger macOS Gatekeeper on installation. However, the installation instructions on the fake site instructed users to right-click and open the .dmg to bypass Gatekeeper — a technique that many developers are already conditioned to use for legitimate unsigned tools in development workflows.
Why Homebrew Is a High-Value Targeting Vehicle
Homebrew is installed on the vast majority of macOS developer machines — estimates suggest 70–80% of macOS software developers use it. A developer who installs Homebrew via a malicious advertisement would likely be:
- Early in their macOS setup, potentially configuring a new machine with all secrets and credentials
- A software developer with access to company source repositories, cloud provider credentials, and deployment keys
- Running the installer with elevated permissions as part of initial system setup, when their security posture is most relaxed
The credential harvest from a developer machine typically includes far more valuable material than a consumer account — corporate SSO credentials, cloud API keys, private keys for CI/CD pipelines, and access tokens for code repositories.
macOS-Specific Mitigations
Verify Homebrew installation source: Users should install Homebrew exclusively via the official command from brew.sh, accessed directly — not via a Google search. The official install command is: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)". Verify the URL begins with raw.githubusercontent.com/Homebrew/install.
Enable macOS System Integrity Protection: SIP limits what system directories a process can write to, reducing the persistence mechanisms available to unsigned malware. Confirm SIP is enabled via csrutil status in Terminal.
Deploy endpoint protection with macOS-specific coverage: Many enterprise EDR products have historically provided weaker coverage on macOS than Windows. Confirm your EDR vendor has macOS-specific infostealer detection rules and that macOS devices are enrolled.
Verify Homebrew integrity: Users who installed Homebrew recently via a Google search should check that the installation path is /usr/local/Homebrew (Intel) or /opt/homebrew (Apple Silicon) and verify the git remote for the Homebrew repository: brew --prefix && git -C $(brew --prefix) remote -v — the remote should point to github.com/Homebrew/brew, not any other repository.
Audit LaunchAgents: Any unexpected LaunchAgent in ~/Library/LaunchAgents/ or /Library/LaunchAgents/ should be investigated. Legitimate Homebrew does not install LaunchAgents.
This campaign is consistent with a broader pattern of malvertising targeting developer tooling — a population with particularly high-value credentials on their machines and a workflow that frequently requires running installation commands from the internet.
Share this article