So let's say you're trying to write an app that will get root privs on someone's Macbook. Okay, there's a few different ways to go about this.
One, you could just run an application that asks for their login password and hope they're stupid enough to supply it. You'll catch some newbies but a lot of people will notice something's wrong, and if you're trying to spread before anyone notices, it's game over.
Two, you could create your own "sudo" and put it somewhere in their $PATH, including altering their login to point their $PATH to a new directory somewhere. But firstly, you're relying on someone running sudo eventually (many people never touch the command line), and secondly, some people are still going to notice.
So here's your third option. You only infect people who are running Homebrew, who have their /usr/local chowned to them. Why is this handy? Because /usr/local is in the default system-wide path. You can bet there's some script that runs with root privileges, that has /usr/local/bin o