William Woodruff, in partnership with the Homebrew maintainers, conducted an audit of Homebrew and its related repositories last summer. The audit revealed non-critical issues that could allow attackers to load executable code and compromise the integrity of Homebrew. The audit, sponsored by Open Tech Fund, aimed to secure internet infrastructure. Homebrew, a package manager for macOS, is crucial for the security of downstream software ecosystems. Issues found included formula sandbox escapes and potential networked resource inclusion. The audit also highlighted vulnerabilities in Homebrew’s CI/CD, allowing attackers to manipulate builds and potentially escalate privileges. Overall, Homebrew’s security assumptions may be subverted by malicious formulae or unsanitized inputs.
https://blog.trailofbits.com/2024/07/30/our-audit-of-homebrew/