kravietz 🦇Jan 19

Ryan Chenkie:

Developers, please be careful when installing Homebrew. Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site.

Note: Google allows the ad sponsors to specify an URL that will be displayed on the ad (original brew.sh here), but the click takes you to the malware domain brewe.sh.

#Apple #HomeBrew #Google #MacOS

Ryan Chenkie (@ryanchenkie) on X

⚠️ Developers, please be careful when installing Homebrew. Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site.

X (formerly Twitter)
Show threadChris​‌​‬ Hayes‌​​​Jan 20
@kravietz Mmmm, spicy.
https://www.joesandbox.com/analysis/1594700/0/html
Automated Malware Analysis Report for - Generated by Joe Sandbox

Automated Malware Analysis - Joe Sandbox Analysis Report

Show threadChris​‌​‬ Hayes‌​​​
@kravietz I asked ChatGPT what the osascript is doing—
"This malicious macOS script steals sensitive data like browser cookies, saved passwords, wallet files, and app data (Safari, Chrome, Firefox, Telegram, Notes). It compresses the data into a ZIP file and uploads it to a remote server. It uses system commands to bypass security, extract keychain passwords, and trick users into entering credentials. After exfiltration, it deletes traces to avoid detection."
Jan 20 at 1:02amWeb