Brewing Trouble: Homebrew Spoofed Sites on the Rise

105 days ago 14 views The Sequence the-sequence.com

In September 2025, Iru's security researchers identified multiple spoofed Homebrew installer sites designed to mimic the official brew.sh page. These replicas injected malicious payloads under the guise of a standard install. In this post, we examine the tactics, infrastructure, and impact of the campaign.

Seemingly every week, there’s panic about a package manager (NPM, PyPI, and others) allowing a typosquatted malicious package to slip through review, or a popular library getting hit by a supply-chain compromise.

By contrast, Homebrew, arguably the most widely used package manager on macOS, has seen no recent compromises.

Search and you’ll find nothing; the same can’t be said for NPM, where you’ll see dozens of articles about the Shai-Hulud package worm.

Does Homebrew have a better security review process (like their human review for Homebrew-core), or are threat actors just finding easier ways to compromise users?

NPM

PyPI

NPM

Homebrew-core

Iru Threat Intelligence has seen a recent increase in attackers using spoofed Homebrew webpages to get users to download malware. Just in the last week, we came across four Homebrew-related domains (homebrewoneline[.]org, and others.),