Homebrew cask malware threat alert

by ·

Homebrew is a free and open-source software package management system that simplifies the installation of software on Apple’s operating system macOS as well as Linux. The name is intended to suggest the idea of building software on the Mac depending on the user’s taste. On April 21, 2021, Homebrew officially issued a security incident notice to say that on April 18, 2021, security personnel found flaws in its review-cask-pr GitHub Action in the Homebrew project. Attackers can inject any code into a cask-type software package and merge it into the main branch of the package management library. When the user uses brew upgrade to update the safe installation package, the malicious package will be downloaded and the malicious code in it will be executed.

The Homebrew uses the review-cask-pr Github Action program to automatically review the software packages submitted by users and merge them into the main branch of the homebrew-cask or homebrew-cask-* repository. The git_diff dependency is used in review-cask-pr. When it parses the merge request submitted by the user, the merge will be diff checked. Due to the flaws in its diff check logic, the problematic code will be ignored, so that there will be malicious code merges. Request verification to complete the automatic merge.
At present, the Homebrew has taken emergency measures:
  • The vulnerable review-cask-pr GitHub Action has been disabled and removed from all repositories.
  • The automerge GitHub Action has been disabled and removed from all repositories (in favour of the GitHub built-in functionality that did not exist when this action was created).
  • We have removed the ability for our bots to commit to homebrew/cask* repositories.
  • All homebrew/cask* pull requests will require a manual review and approval by a maintainer.
  • We are improving documentation to help onboard new homebrew/cask maintainers and training existing homebrew/core maintainers to help with homebrew/cask.

Tags: