- The malicious atomic thief software settles silently via fake github pages targeting mac users
- The attackers create several GitHub accounts to bypass platform withdrawals several times
- Users copying commands from unconnestified websites risk a serious system compromise
Cybersecurity researchers warn Apple Mac users of a campaign using GitHub fraudulent benchmarks to spread malware and infosteaux.
Research of analysts from Lastpass Threat Intelligence, Azenization and Climbing (Time) found that the attackers pretended to be well -known companies to convince people to download false Mac software.
Two fraudulent pages of GitHub pretending to offer Lastpass for Mac were spotted for the first time on September 16, 2025 under the name of user “ModhopMduck476”.
How the attack chain works
Although these particular pages have been deleted, the incident suggests a wider diagram which continues to evolve.
The false github pages included ties labeled “Install Lastpass on MacBook”, which redirected to hxxps: // ahoastock825[.]github[.]IO / .GitHub / Lastpass.
From there, users were sent to MacPrograms-Pro[.]com / mac-git-2-download.html and said to stick an order in the terminal of their Mac.
This order used a curl request to recover a basic coded URL64 which has decoded in Bonoud[.]com / get3 / install.sh.
The script then delivered a “update” payload which installed the atomic thief (Malware Amos) in the temporary directory.
The atomic thief, which has been active since April 2023, is a known infosteator used by cybercrime groups motivated by finance.
Investigators have linked this campaign to many other false benchmarks imitating companies ranging from financial institutions to productivity applications.
The list of targeted names includes 1Password, Robinhood, Citibank, Docker, Shopify, Basecamp and many others.
The attackers seem to create several GitHub user names to bypass withdrawals, using optimization of the search engine to push their malicious links above on search results in Google and Bing.
This technique increases the chances that Mac users looking for legitimate downloads first meet the fraudulent pages.
Lastpass declares that it actively “monitors this campaign” while working on withdrawal and sharing compromise indicators to help others detect threats.
The use by attackers of the Github pages reveals both the convenience and risks of community platforms.
Fraudulent benchmarks can be implemented quickly, and although GitHub can remove them, attackers often come back under new alias.
This cycle raises questions about the effectiveness of these effective platforms.
How to stay safe
- Download only the software from verified sources to avoid malware and the risks of ransomware.
- Avoid copying of orders from unknown websites to prevent unauthorized code execution.
- Keep the macOS and all the software installed up to date to reduce vulnerabilities.
- Use the best antivirus or security software that includes ransomware protection to block threats.
- Activate regular system backups to recover files if ransomware or malware strike.
- Stay skeptical of the links, emails and unexpected pop-ups to minimize the exhibition.
- Monitor the official reviews of trusted suppliers for updates and security advice in a timely manner.
- Configure solid and unique passwords and activate two factors authentication for important accounts.
