LastPass is warning Apple macOS users of an ongoing, large-scale malware campaign that leverages fake GitHub repositories to spread information-stealing malware disguised as legitimate software tools.
According to LastPass' Threat Intelligence, Mitigation, and Escalation (TIME) team, the attackers are using SEO poisoning to manipulate Google and Bing search results, pushing malicious GitHub pages to the top. The pages appear to offer legitimate downloads such as ‘Install LastPass on MacBook’ but actually redirect users to malware-laced sites.
The attackers are also impersonating a wide array of popular tools and services including 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck to target macOS users.
The malicious GitHub pages are reportedly created by multiple fake accounts to evade takedowns. Victims are ultimately led to run dangerous Terminal commands under the guise of software installation, which results in the deployment of the Atomic Stealer, a powerful macOS malware capable of stealing passwords, browser data, and cryptocurrency wallet information.