- Attackers are running a wide campaign that targets Apple macOS users with information-stealing Malware.
- The campaign uses fake GitHub repositories to distribute malware disguised as trusted software tools.
- Victims are led to download the Atomic Stealer malware through links appearing at the top of Bing and Google search results.
- Multiple well-known apps, including LastPass, 1Password, and Dropbox, are being impersonated in this campaign.
- Attackers use different GitHub accounts and SEO techniques to avoid detection and takedown efforts.
LastPass reported that a large-scale cyber campaign is currently targeting Apple macOS users. Attackers are deploying malware through fake GitHub repositories that appear to offer legitimate apps in order to steal information from computers.
The company’s Threat Intelligence, Mitigation, and Escalation (TIME) team confirmed on September 20, 2025, that victims who try to download LastPass for Mac are redirected through fraudulent repositories. These downloads actually install the Atomic Stealer malware, which is designed to harvest sensitive user information.
Researchers Alex Cox, Mike Kosak, and Stephanie Schneider of LastPass said the scheme is not limited to just their product. Other affected software names include 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. According to the team, “The GitHub pages appear to be created by multiple GitHub usernames to get around takedowns.” Attackers use Search Engine Optimization (SEO) poisoning, making malicious links appear at the top of search results, which then lure users to click and download harmful software.
After reaching these fake GitHub repositories, victims are directed to another website. Here, the site offers step-by-step instructions that tell users to run a command through the Terminal app, which in turn launches the Atomic Stealer malware. This kind of attack exploits user trust in well-known apps and platforms.
Other recent attacks have used similar methods, such as fake Google Ads and deceptive GitHub repositories to deliver multi-stage malware that avoids detection and connects to remote servers for further actions, according to security researcher Dhiraj Mishra. In the past weeks, threat actors have also used public GitHub repositories to deliver malware via tools like Amadey, and have exploited weaknesses like “dangling commits” to redirect users to infected programs.
As this campaign continues, researchers warn Mac users to only download applications from official sources and to use caution when following search engine links that lead to unfamiliar sites.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu Needs Global Adoption, Burns to Achieve $0.01 Milestone
- Saylor: Bitcoin Stability Draws Institutions, Bores Retail Investors
- ShadowLeak Attack Exposes Gmail Data via ChatGPT ‘Deep Research’ Flaw
- Crypto Market May Underestimate Aggressive Fed Rate Cut Path
- Kevin Durant Recovers Lost Bitcoin After 10 Years Locked Out
