LastPass warns macOS users of fake GitHub repos distributing Atomic infostealer malware disguised as legitimate tools.
LastPass warns macOS users about fake GitHub repositories spreading malware disguised as legitimate tools, redirecting victims to download the Atomic macOS infostealer.
“The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team is tracking an ongoing, widespread infostealer campaign targeting Mac users through fraudulent GitHub repositories designed to trick potential victims into installing what is presented as various companies’ software for MacOS.” reads the report published by LastPass. “In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware. “
The malware campaign is still ongoing, threat actors use SEO to push malicious sites atop the results from Google and Bing, targeting tech firms, banks, and password managers. Security teams share IoCs to detect and mitigate the campaign.
LastPass identified two fraudulent GitHub repos that were promptly labeled for take down and are now inactive.
“Notably, the GitHub pages appear to be created by multiple GitHub usernames to get around takedowns.” continues the report. “The GitHub page headlines include “name of company” and Mac-related terminology (i.e. MacOS, Mac, Premium on Macbook) since that’s what they are targeting.”
The GitHub page tricks users into following ClickFix-style instructions in Terminal, which installs the Atomic Stealer malware.
The campaign also targets macOS users by impersonating popular tools such as 1Password, Dropbox, Notion, Shopify, and others.
The researchers also shared Indicators of Compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, macOS)