Homebrew cask malware threat alert
Homebrew is a free and open-source software package management system that simplifies the installation of software on Apple’s operating system macOS as well as Linux. The name is intended to suggest the idea of building software on the Mac depending on the user’s taste. On April 21, 2021, Homebrew officially issued a security incident notice to say that on April 18, 2021, security personnel found flaws in its review-cask-pr GitHub Action in the Homebrew project. Attackers can inject any code into a cask-type software package and merge it into the main branch of the package management library. When the user uses brew upgrade to update the safe installation package, the malicious package will be downloaded and the malicious code in it will be executed.
- The vulnerable review-cask-pr GitHub Action has been disabled and removed from all repositories.
- The automerge GitHub Action has been disabled and removed from all repositories (in favour of the GitHub built-in functionality that did not exist when this action was created).
- We have removed the ability for our bots to commit to homebrew/cask* repositories.
- All homebrew/cask* pull requests will require a manual review and approval by a maintainer.
- We are improving documentation to help onboard new homebrew/cask maintainers and training existing homebrew/core maintainers to help with homebrew/cask.