LastPass is warning that a widespread information-stealing campaign is targeting macOS users. The attack uses fake GitHub repositories to distribute malware disguised as legitimate software.
According to researchers at the LastPass Threat Intelligence team, these fraudulent repositories redirect victims to download the Atomic infostealer malware.
The attackers use Search Engine Optimization (SEO) poisoning to make the malicious GitHub links appear at the top of search results on Bing and Google. The campaign imitates popular tools like 1Password, Dropbox, Notion, and Thunderbird, among many others. All the GitHub repositories are specifically designed to target macOS.
When a user clicks on a search result, they are taken to a fake GitHub page. These pages appear to be created by multiple usernames to avoid being taken down. The page then tricks the user into copying and pasting a command into their Terminal app, which installs the Atomic Stealer malware.
This type of attack is not new. Similar campaigns have used malicious sponsored Google Ads and bogus GitHub repositories to distribute malware.
Recently, hackers have been seen using public GitHub repositories to host and distribute malicious payloads. They have also used "dangling commits" that appear to be from an official GitHub repository to redirect users to malicious programs.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
