(no title)

For example, they included their repo github API key in their publicly accessible jenkins site, which meant that anyone could make a commit to the repo, which would be instantly used by anyone going forward:

https://medium.com/@vesirin/how-i-gained-commit-access-to-ho...

Buuuut hands-down the real clown-shoe reason nobody should run brew is that it modifies /usr/local to be user-writeable so they can be exceptionally lazy and install everything as the user.

Guess what's at the top of /etc/paths? /usr/local/bin.

Any script or program you run, anyone who sits down at your computer for less than a minute, can pwn you without any fancy hax0r tricks...just by adding a binary or script with the same name as a command from /usr/sbin/ or /usr/bin. You'd likely never know or notice unless you happened to run 'which', get unexpected behavior from said binary/script, or notice weird shit in ps/Activity Monitor. Imagine a script or binary that pretended to be ssh and politely passed along everything to the real ssh binary while also sending your keys, passphrases, etc to a remote host.