Cybercriminals are stepping up their attacks on Mac users, using fake GitHub repositories to spread malware disguised as legitimate apps.
Security researchers at LastPass, a freemium password manager that stores encrypted passwords online, have uncovered the widespread campaign, which impersonates well-known companies and apps โ from LastPass, 1Password, Dropbox, Notion, Robinhood, Adobe After Effects, and even banks like Citibank.
At the heart of the scheme is Atomic Stealer (also known as AMOS), a piece of malware that has been circulating since 2023. It is part of a growing โmalware-as-a-serviceโ economy, making it easy for cybercriminals to launch campaigns without deep technical expertise.
Once installed, it can grab passwords, saved browser cookies, crypto-wallet keys, banking credentials, and other sensitive data from a victimโs Mac that could be sold or used for fraud.
How The Scam Worksย
Attackers create GitHub pages that look like official software downloads for macOS, often carefully named with keywords like โInstall on MacBookโ or โPremium for Macโ to make them appear trustworthy.
To lure in victims, the cybercriminals use aggressive search engine optimization (SEO) to push these malicious pages to the top of Google and Bing search results.
Anyone looking for a Mac version of these apps might easily click one of the fake links without realizing it. Clicking these download links sends users to another site, where they are told to copy and paste a command into their Mac Terminal to install the app. That command silently pulls in the AMOS malware and installs it, often disguised as an โupdate.โ
LastPass says the campaign relies on a โClickFixโ social engineering trick โ pushing users to quickly follow technical instructions without understanding whatโs happening behind the scenes.
LastPass Responds
LastPass reported finding at least two GitHub pages impersonating its own Mac app earlier this month. Both were taken down after being flagged, but the attackers are actively creating multiple accounts to stay ahead of takedowns.
โWe acted swiftly to identify and report the fraudulent GitHub pages impersonating LastPass, which have since been taken down. We continue to monitor this campaign and collaborate with industry partners to disrupt its infrastructure,โ said Alex Cox, Director of Threat Intelligence, Mitigation, and Escalation (TIME) team at LastPass.
The company has published a list of indicators of compromise (IoCs) โ including a list of malicious URLs and file hashes โ to help spot the attack and block related threats.
What Users Should Do
Security experts say the safest move is downloadingย apps only from official vendor websites or the Mac App Store. Other tips include:
- Donโt trust GitHub repositories that you are unfamiliar with.
- Avoid running Terminal commands unless they come from a verified, trusted source.
- Use up-to-date antivirus or endpoint security tools that can catch suspicious behavior even if malware is executed.
The Takeaway
The campaign shows how easily trusted platforms โ in this case, GitHub and Google search results โ can be abused. If you suspect you have downloaded one of these fake apps, treat your passwords and financial data as compromised. Change your credentials immediately, review your financial and crypto accounts for suspicious activity, and run a full security scan on your Mac.
