MALICIOUS ads targeting macOS are on the rise, with a page impersonating Homebrew used to push MacSync Stealer to potential victims. The diary notes the example appeared on Thursday, 30 April 2026, and that the fake Homebrew page at hxxps://sites.google[.]com/view/brewpage remains active as of 1 May 2026. The campaign redirects users from search results to a page that prompts copy/paste scripts, which lead to the download and execution of the MacSync Stealer.
During infection, the malware collects information from the host, temporarily saves it to /tmp/osalogging[.]zip, and sends that file to a command-and-control server associated with glowmedaesthetics[.]com. Shown indicators include the malicious ad URL pattern and the fake Homebrew site URL, with multiple related files described as zsh scripts and their hashes. This analysis, according to Brad Duncan, underscores how malvertising can deliver stealer malware onto macOS hosts through deceptive Homebrew impersonations.