Malicious Google Ad for Homebrew Distributes MacSync Stealer to macOS Users
A malicious Google ad impersonating the Homebrew package manager is actively distributing MacSync Stealer malware to macOS users, exfiltrating passwords and system data.
A malicious Google ad impersonating the Homebrew package manager for macOS is actively distributing MacSync Stealer malware, according to a report from the SANS Internet Storm Center. The campaign, observed on April 30, 2026, remains active as of May 1. The fake site, hosted at sites.google.com/view/brewpage, prompts victims to copy and paste a script that downloads a multi-stage payload, ultimately exfiltrating system data to a command-and-control (C2) server.
The attack begins when a user searches for Homebrew and clicks on a malicious Google ad. The ad leads to a convincing fake Homebrew page that instructs the user to copy a script and paste it into a terminal. The script downloads an initial payload from the C2 server glowmedaesthetics.com, which then fetches a second-stage shell script. This script prompts the user for their macOS password via a popup, granting the malware elevated privileges.
Once executed, MacSync Stealer collects passwords and other sensitive files from the system, compressing them into /tmp/osalogging.zip. The archive is then exfiltrated to the C2 server. The malware also requests access to the Finder app, further enabling data theft. The entire infection chain is designed to be stealthy, with minimal user interaction beyond the initial copy-paste and password entry.
The campaign targets macOS users, a growing demographic as Macs and Mac minis become more popular. The fake Homebrew page remains live, and the malicious ad is still appearing in search results. Indicators of compromise include the fake site URL (hxxps://sites.google.com/view/brewpage), the C2 domain glowmedaesthetics.com, and specific file hashes for the scripts involved.
Users are advised to avoid clicking on ads for software downloads and instead navigate directly to the official Homebrew website at brew.sh. Organizations should block the malicious domains and educate users about the risks of copy-pasting scripts from untrusted sources. The SANS ISC has provided detailed IoCs to aid in detection and response.
This incident highlights the growing threat of malvertising targeting macOS, a platform often perceived as more secure. As macOS adoption increases, attackers are investing in sophisticated social engineering and multi-stage payloads to compromise these systems. Users must remain vigilant and verify the authenticity of download sources before executing any commands.