- Atomic Stealer malware installs silently via fake GitHub Pages targeting Mac users
- Attackers create multiple GitHub accounts to bypass platform takedowns repeatedly
- Users copying commands from unverified websites risk serious system compromise
Cybersecurity researchers are warning Apple Mac users about a campaign using fraudulent GitHub repositories to spread malware and infostealers.
Research from LastPass Threat Intelligence, Mitigation, and Escalation (TIME) analysts found attackers are impersonating well-known companies to convince people to download fake Mac software.
Two fraudulent GitHub pages pretending to offer LastPass for Mac were first spotted on September 16 2025 under the username “modhopmduck476.”
How the attack chain works
While these particular pages have been taken down, the incident suggests a broader pattern that continues to evolve.
The fake GitHub pages included links labeled “Install LastPass on MacBook,” which redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass.
From there, users were sent to macprograms-pro[.]com/mac-git-2-download.html and told to paste a command into their Mac’s terminal.
That command used a CURL request to fetch a base64-encoded URL that decoded to bonoud[.]com/get3/install.sh.
The script then delivered an “Update” payload that installed Atomic Stealer (AMOS malware) into the Temp directory.
Atomic Stealer, which has been active since April 2023, is a known infostealer used by financially motivated cybercrime groups.
Investigators have linked this campaign to many other fake repositories impersonating companies ranging from financial institutions to productivity apps.
The list of targeted names includes 1Password, Robinhood, Citibank, Docker, Shopify, Basecamp, and numerous others.
Attackers appear to create multiple GitHub usernames to bypass takedowns, using Search Engine Optimization to push their malicious links higher on search results in Google and Bing.
This technique increases the chances that Mac users searching for legitimate downloads will encounter the fraudulent pages first.
LastPass states it is “actively monitoring this campaign” while working on takedowns and sharing indicators of compromise to help others detect threats.
The attackers’ use of GitHub Pages reveals both the convenience and the risks of community platforms.
Fraudulent repositories can be set up quickly, and while GitHub can remove them, attackers often return under new aliases.
This cycle raises questions about how effectively such platforms can protect users.
How to stay safe
- Only download software from verified sources to avoid malware and ransomware risks.
- Avoid copying commands from unfamiliar websites to prevent unauthorized code execution.
- Keep macOS and all installed software up to date to reduce vulnerabilities.
- Use the best antivirus or security software that includes ransomware protection to block threats.
- Enable regular system backups to recover files if ransomware or malware strikes.
- Stay skeptical of unexpected links, emails, and pop-ups to minimize exposure.
- Monitor official advisories from trusted vendors for timely security updates and guidance.
- Configure strong, unique passwords and enable two-factor authentication for important accounts.
