LastPass is warning of an ongoing, widespread information stealer campaign targeting Apple macOS users through fake GitHub repositories that distribute malware-laced programs masquerading as legitimate tools.’In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the [Atomic](https://thehackernews.com/2025/07/fake-gaming-and-ai-firms-push-malware.html) infostealer malware,’ researchers Alex Cox, Mike Kosak, and Stephanie Schneider from the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team [said](https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages).Beyond LastPass, some of the popular tools impersonated in the campaign include 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck, among others. All the GiHub repositories are designed to target macOS systems.The attacks involve the use of Search Engine Optimization (SEO) poisoning to push links to malicious GitHub sites on top of search results on Bing and Google, that then instruct users to the download the program by clicking the ‘Install LastPass on MacBook’ button, redirecting them a GitHub page domain.’The GitHub pages appear to be created by multiple GitHub usernames to get around takedowns,’ LastPass said. The GitHub page is designed to take the user to another domain that provides [ClickFix-style instructions](https://thehackernews.com/2025/06/new-atomic-macos-stealer-campaign.html) to copy and execute a command on the Terminal app, resulting in the deployment of the Atomic Stealer malware.It’s worth noting similar campaigns have been previously leveraged malicious sponsored Google Ads for Homebrew to distribute a multi-stage dropper through a bogus GitHub repository that can run detect virtual machines or analysis environments, and decode and execute system commands to establish connection with a remote server, per [security researcher Dhiraj Mishra](https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc).In recent weeks, threat actors have been spotted [leveraging](https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html) public GitHub repositories to host malicious payloads and distribute them via Amadey, as well as [employ dangling commits](https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html) corresponding to an official GitHub repository to redirect unwitting users to malicious programs.
Found this article interesting? Follow us on [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), [Twitter](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.
Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Amadey
Blog: The Hacker News
Masquerading
Associated Indicators: