Attackers are buying Google ads to push fake Homebrew installers to Mac users, exploiting trust in search results. The malicious campaign places a counterfeit site above the official Homebrew page, tricking users into running a harmful Terminal command. This attack leverages normal software installation behavior rather than technical exploits, making it particularly effective against developers and everyday Mac users who rely on Homebrew.

Once users click the sponsored link, they encounter a nearly identical page to the real Homebrew site. The fake version swaps the legitimate installation command for an obfuscated Base64-encoded script that installs malware. Security researchers have linked this payload to AMOS (Atomic macOS Stealer), which targets browser data, credentials, and cryptocurrency wallets. The attack succeeds because users expect to copy and paste installation commands, and the encoding masks obvious red flags.

The campaign demonstrates how attackers now prioritize user-driven compromise over technical exploits. By purchasing search ads and rotating domains quickly, they can distribute malware at scale while staying ahead of enforcement. The shift toward social engineering through trusted platforms like Google Search represents a significant evolution in macOS malware distribution tactics.