Attackers have used a malicious Google ad with Homebrew’s proper “brew.sh” URL to redirect to the typosquatted “brewe[.]sh” site, which lures targets into downloading the package manager that enables infostealer malware execution, according to security researcher Ryan Chenkie.
ValleyRAT malware spread via bogus software installers
