Infostealer deployed through Homebrew-exploiting malvertising campaign

Widely used open-source macOS and Linux package manager Homebrew was discovered by security researcher Ryan Chenkie to have been exploited in a new malvertising campaign using fake Google ads for information-stealing malware distribution, BleepingComputer reports.

Attackers have used a malicious Google ad with Homebrew's proper "brew.sh" URL to redirect to the typosquatted "brewe[.]sh" site, which lures targets into downloading the package manager that enables infostealer malware execution, according to Chenkie. Further analysis of the malware by security researcher JAMESWT revealed the campaign to have launched the Atomic macOS Stealer payload, also known as AMOS, which could compromise a plethora of cryptocurrency extensions, desktop crypto wallets, and web browser information. Such a malicious ad has already been removed from Google search results, said Homebrew project leader Mike McQuaid, who chastised Google's inadequate vetting processes. "There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good," said McQuaid.