Cyber threat infographic: Cloned Homebrew website icon with red malware code injecting into macOS laptop, arrows to C2 server and Odyssey Stealer payloads, protective shield for endpoint monitoring, and warning "Verify Your Downloads" banner over digital

Kandji researchers uncovered a September 2025 campaign where attackers cloned the official Homebrew site (e.g., homebrewoneline[.]org) to serve malicious payloads. Victims clicking the "Copy" button get a clipboard-injected command that runs the legitimate installer plus hidden malware, like the Odyssey Stealer, via JavaScript that notifies attackers and fetches base64-encoded payloads.
 

Cyber threat infographic: Cloned Homebrew website icon with red malware code injecting into macOS laptop, arrows to C2 server and Odyssey Stealer payloads, protective shield for endpoint monitoring, and warning "Verify Your Downloads" banner over digital Cyber threat infographic: Cloned Homebrew website icon with red malware code injecting into macOS laptop, arrows to C2 server and Odyssey Stealer payloads, protective shield for endpoint monitoring, and warning "Verify Your Downloads" banner over digital

The attack exploits Homebrew's popularity among macOS developers, using embedded scripts to block text selection and execute fetch requests to C2 servers (e.g., notify.php). Russian comments in the code suggest modularity for swapping payloads, making it a commodity threat. It highlights supply-chain risks in package managers, with attackers bypassing initial trust.
 

Cyber threat infographic: Cloned Homebrew website icon with red malware code injecting into macOS laptop, arrows to C2 server and Odyssey Stealer payloads, protective shield for endpoint monitoring, and warning "Verify Your Downloads" banner over digital Cyber threat infographic: Cloned Homebrew website icon with red malware code injecting into macOS laptop, arrows to C2 server and Odyssey Stealer payloads, protective shield for endpoint monitoring, and warning "Verify Your Downloads" banner over digital

Mitigate by verifying install commands against brew.sh, avoiding unverified sites, and using endpoint monitoring for suspicious fetch calls or base64 payloads. Kandji's IOC repository tracks these domains—integrate into security tools and educate users on safe practices to counter evolving malware in macOS ecosystems.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security