Malware And CampaignsCampaign

Homebrew search ad ClickFix macOS malware delivering SHub Stealer

April 1, 2026Unit 42

Unit 42 describes a macOS malware campaign using malicious ads targeting people searching for Homebrew, tricking them into running fake install commands. The script fingerprints the device and deploys SHub Stealer, with rapidly changing command and control domains.

Open in PulseSee the full expert discussion →

QUOTES

Ongoing #macOS #malware campaign target users searching for Homebrew on Mac with malicious ads, tricking them with fake install commands.

The script fingerprints the device and deploys SHub Stealer to steal wallets & passwords.

New C2 domains appear daily:

VOICES

Unit 42

RELATED TERMS

macossocial engineeringmacossocial engineering

OTHER FINDINGS IN MALWARE AND CAMPAIGNS

Axios npm package compromise, WAVESHAPER.V2 cross platform RAT Handala Hack Telegram threat claiming imminent Lockheed Martin data leak Telnyx PyPI compromise (TeamPCP) shipping malware in telnyx 4.87.1/4.87.2

AMYGDALA PULSE

See what experts are saying right now

This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.

Open Cyber Security Pulse Browse all topics

← Back to Cyber Security