Homebrew, the popular open-source macOS and Linux package manager has become the latest victim of a malvertising campaign to distribute information-stealing malware. Security researcher Ryan Chenkie uncovered the scheme, which leverages fake Google ads to deliver malware that compromises user credentials, browser data, and cryptocurrency wallets.
The Malware Behind the Campaign
AmosStealer (Atomic), a notorious information-stealing malware designed to target macOS systems, is the malicious software at the center of this campaign. Sold as a subscription service for only $1,000 per month, AmosStealer has become a popular tool among malefactors targeting Apple users.
It has also been spotted in other recent campaigns, such as those using fake Google Meet pages to fool victims into downloading malware.
Malicious Ads Mimic Trusted URLs
The attack begins with a malicious Google advertisement displaying the legitimate Homebrew URL, “brew.sh,” to deceive users. While the ad appears authentic, clicking it redirects users to a fake site hosted at the subtly tweaked domain “brewe.sh.”
This URL manipulation technique exploits user familiarity with trusted domains, making it a widespread tactic in malvertising campaigns.
How the Attack Unfolds
Visitors to the fake site are prompted to install Homebrew by copying and executing a command displayed in the macOS Terminal or Linux shell. The process mirrors the legitimate installation method provided by Homebrew’s official site, adding to the deception.
However, the command from the fake website installs malware instead of the intended software, compromising the victim’s system.
A Rising Threat to Open-Source Communities
The exploitation of Homebrew is a perfect example of a growing trend in cyberattacks targeting widely used open-source tools and platforms. By preying on user trust and familiarity, malefactors are using more and more malvertising as an effective distribution method for malware like this latest scourge.
Users are advised to exercise caution when accessing software through online ads and to make sure they are visiting official URLs directly. For Homebrew, users should verify they are on the official “brew.sh” domain before proceeding with any downloads or installations.
Exploiting the Human Factor
According to Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, fraudsters using tactics, techniques, and procedures (TTPs) to trick users into executing a fake URL similar to a legitimate URL still works today, exploiting the ‘human factor’ of social engineering.
“Users must be educated and aware to carefully inspect all links, external emails, and related data to ensure it is legitimate and not malicious content, like a ‘near miss’ or typo squatting type domain.”
Dunham says that in this instance, the difference between “brew” and “brewe” is tricky for some users to spot as malicious, and several best practices can be used. Firstly, only go to legitimate application and distribution sites, confirm app vendors and sources, and go to sites directly instead of through a link received by email or phone.
“Malvertising continues to be an effective eCrime marketplace strategy, where users are tricked into malicious sites and traffic instead of using legitimate sources with less risk. MacOS has arrived as a more popular OS with increased assets of value to threat actors in the professional environment globally, and it is increasingly being targeted by bad actors in 2025 as evidenced in this most recent attack,” Dunham adds.
Protecting Advertising Platforms
According to Eric Schwake, Director of Cybersecurity Strategy at Salt Security, bad actors exploit widely used software and services. “Using a counterfeit Homebrew website to spread malware, these cyber attackers showcase their sophistication and innovative tactics, continually discovering new methods to mislead and infiltrate users.”
Schwake says although the malware is not new, delivering it via Google ads highlights the need to protect advertising platforms. Advertisers need to remain alert and take measures to validate the legitimacy of the websites they endorse. Entities, too, must improve security on all devices, including macOS, which is often viewed as more secure than others.
“Key actions include deploying robust endpoint security solutions, improving employee awareness of phishing risks, and ensuring that software is regularly updated with the latest security patches.”
Regarding API security, Schwake says this campaign stresses the need to secure API endpoints within advertising platforms.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.