Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix

Attackers operate a ClickFix campaign that typosquats Homebrew download pages to trick macOS developers into running a modified installer; the initial script loops to harvest valid user passwords and installs Cuckoo Stealer, a persistent macOS infostealer/RAT that removes quarantine flags, uses encrypted HTTPS C2 with X25519/MD5-derived XOR encryption, and exfiltrates Keychain, browser/extension data (notably crypto wallets), messaging sessions, VPN/FTP credentials, and local documents.