Malicious Homebrew Advertisement Delivers MacSync Stealer to macOS Users
What Happened — A malicious advertisement displayed on the Homebrew (brew.sh) website redirected macOS visitors to download the MacSync stealer. The payload harvests browser passwords, SSH keys, and other system data before exfiltrating it to remote C2 servers.
Why It Matters for TPRM —
- Malvertising on a popular developer tool creates a supply‑chain foothold that can compromise corporate laptops.
- Credential theft from macOS endpoints can cascade into unauthorized access to SaaS applications and cloud services.
- Demonstrates the need for strict third‑party web‑content vetting and endpoint protection across heterogeneous device fleets.
Who Is Affected — Technology and SaaS vendors, MSPs, enterprises with macOS workstations, and any organization that allows employees to install software from Homebrew.
Recommended Actions — Review and restrict ad‑network exposure, enforce web‑gateway URL filtering for known malicious domains, deploy macOS‑compatible EDR/XDR solutions, and monitor network traffic for MacSync IOCs.
Technical Notes — Attack vector: malicious ad (malvertising) leading to a drive‑by download; no CVE involved. Data types exfiltrated include browser credentials, SSH private keys, and system inventory. Source: SANS Internet Storm Center