Large-Scale Attack Targeting Macs via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware

Alex Cox, Mike Kosak & Stephanie Schneider • PublishedSeptember 18, 2025

Subscribe & Save 20% off select plans

Enter your email

By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team is tracking an ongoing, widespread infostealer campaign targeting Mac users through fraudulent GitHub repositories designed to trick potential victims into installing what is presented as various companies’ software for MacOS. In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware. The threat actors are using Search Engine Optimization (SEO) to deliver links to their malicious sites at the top of search pages, including Bing and Google. This campaign appears to be targeting a range of companies, including tech companies, financial institutions, password managers, and more. Further information on the targeted companies can be found in the Indicators of Compromise (IoCs) at the end of the blog.

We are writing this blog post to raise awareness of the campaign and protect our customers while we continue to actively pursue takedown and disruption efforts, and to also share indicators of compromise (IoCs) to help other security teams detect cyber threats. This excellent blog post by Dhiraj Mishra describes a similar campaign targeting another software that bears many of the same hallmarks as the campaign we are addressing here. We are actively monitoring this campaign and will update our blog post with any new information.

Malicious GitHub Pages Claiming to Offer LastPass Removed

LastPass tracked two fraudulent GitHub sites targeting our customers; these sites were immediately submitted for takedown and are now inactive.

Screen Capture of SEO-driven Referral to Malicious Software

Campaign Details

Two GitHub pages impersonating LastPass were posted to GitHub by the user “modhopmduck476” on 16 September. Both pages included links allegedly to “Install LastPass on MacBook” that redirected to the same page: hxxps://ahoastock825[.]github[.]io/.github/lastpass.
- Notably, the GitHub pages appear to be created by multiple GitHub usernames to get around takedowns.
- The GitHub page headlines include “name of company” and Mac-related terminology (i.e. MacOS, Mac, Premium on Macbook) since that’s what they are targeting.

Screen Capture of the LastPass Impersonation Page

This site then redirects to the URL “macprograms-pro[.]com/mac-git-2-download.html”.
That site instructs users to copy and paste the following command into their Mac’s terminal:

Screen Capture of the Secondary Site

The command then conducts a CURL request to a base64 encoded URL which decodes to: bonoud[.]com/get3/install.sh
This site then delivers the following payload:

This in turn downloads the “Update” payload to the Temp directory. The Update payload is in fact Atomic stealer (aka AMOS malware). Atomic stealer has been available since at least April 2023. The malware has previously been associated with financially motivated cybercrime groups.
LastPass will continue to monitor this campaign and provide updates as warranted.

Indicators of Compromise (IoCs)

URLs: