A sophisticated malvertising campaign has been caught targeting software developers through fake Google ads that impersonate the Homebrew package manager website, leading unsuspecting users to install powerful macOS malware.
Attack Method: Simple but Effective
The campaign was first discovered by developer Ryan Chenkie on January 18. It involves fake Google advertisements that appear to link to the official Homebrew site at brew.sh, but actually redirect users to a lookalike domain, brewe.sh—a subtle change that many users may not notice.
The fake site mimics the official Homebrew installation page and urges users to run a terminal command. Instead of installing Homebrew, the command downloads and runs AmosStealer, also known as Atomic Stealer—a known macOS information stealer.
AmosStealer Capabilities
Security researcher JAMESWT analyzed the malware and confirmed it is capable of stealing:
- Login credentials and browser data
- Cryptocurrency wallets and desktop wallet app data
- Private files and sensitive developer information
AmosStealer targets over 50 cryptocurrency-related browser extensions. It is sold on dark web marketplaces, with monthly subscription plans ranging from $1,000 to $3,000—suggesting that this campaign is backed by a well-funded malware-as-a-service operation.
Why Homebrew Was Targeted
Homebrew is a popular package manager for macOS and Linux, used by developers and system administrators to install software. Its technical user base often holds sensitive data, making it a prime target for cybercriminals seeking access to credentials or crypto wallets.
Response and Industry Concerns
Google has removed the malicious ads and suspended the accounts involved. However, Homebrew project leader Mike McQuaid criticized the repeated nature of such incidents and called for stronger ad screening systems.
The incident raises fresh concerns about the security of online ad platforms. Experts warn that even users who double-check URLs may fall victim when ad systems show verified links that redirect elsewhere.
Recommendations for Developers and Organizations
Security professionals recommend the following to avoid similar threats:
- Use direct bookmarks to access trusted tools and avoid clicking on ads.
- Install software only from verified sources.
- Implement advanced endpoint protection tools on developer machines.
- Regularly train teams to recognize phishing and malvertising techniques.
This campaign shows how attackers are evolving their methods by exploiting trusted ad platforms to target high-value users. Greater cooperation between advertisers, security companies, and tech platforms is essential to prevent such threats from reaching the public.
