A security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users’ machines. The issue stemmed from the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request could be automatically reviewed and approved. The flaw was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK. In light of the findings, Homebrew has removed the “automerge” GitHub Action as well as disabled and removed all vulnerable repositories.
Source: https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html