A new cyber campaign is actively targeting macOS users with the Atomic Stealer (AMOS) malware, leveraging fake GitHub repositories disguised as legitimate software downloads. Security researchers tracking the campaign report that the operators are impersonating trusted brands such as LastPass, 1Password, Dropbox, Notion, and Shopify to lure unsuspecting victims. Using search engine optimization (SEO) poisoning, attackers ensure that their malicious sites rank highly in Google and Bing results, tricking users searching for software downloads into landing on fraudulent repositories.
Once on the fake GitHub pages, victims are presented with step-by-step instructions that encourage them to execute commands in their macOS Terminal. Instead of installing the advertised software, these commands load the Atomic Stealer infostealer, which is capable of exfiltrating sensitive data, including passwords, crypto wallet details, and personal files.
The campaign demonstrates remarkable persistence and sophistication. Adversaries are using multiple GitHub accounts to host fraudulent repositories, a tactic that helps them evade takedown attempts and maintain operational resilience. Security teams, including LastPass Threat Intelligence, are actively monitoring the campaign and have already flagged and removed several malicious repositories. Shared Indicators of Compromise (IoCs) are enabling organizations to detect and mitigate this ongoing threat.
This attack highlights a dangerous convergence of tactics: exploiting trusted platforms like GitHub and search engines, impersonating widely used brands, and leveraging user trust to deliver malware. For macOS users—long considered less frequent targets—the campaign is a stark reminder that no operating system is immune to sophisticated, trust-based attacks.
#AtomicStealer #macOS #AMOS #GitHub #infostealer #LastPass #1Password #Dropbox #Shopify #SEOpoisoning #cybersecurity #threatintel #malware #datasecurity
