Mac Malware Campaign Uses Fake GitHub Pages, LastPass Lure

A recent infostealer campaign is using fake GitHub repositories to target Mac users looking to install LastPass and software from other companies on their MacBooks. 

LastPass researchers who found the “ongoing, widespread” campaign said that it involves two fake GitHub pages that impersonate the password manager. They were both posted to GitHub by the user “modhopduck476” on Sept. 16, and include links that claim to “install LastPass on MacBook.” While LastPass researchers said that the sites have since submitted for takedown and are now inactive, the pages appear to have been created by multiple GitHub usernames in order to persist through takedown efforts.

“The threat actors are using Search Engine Optimization (SEO) to deliver links to their malicious sites at the top of search pages, including Bing and Google,” said Alex Cox, Mike Kosak, and Stephanie Schneider in the post. “This campaign appears to be targeting a range of companies, including tech companies, financial institutions, password managers, and more.”

Once targets click on the link claiming to “install LastPass on MacBook,” they are redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass, which then redirects them again to the URL macprograms-pro[.]com/mac-git-2-download.html. That site then instructs targets to copy and paste a command into their Mac’s terminal.

The command conducts a curl request to a URL that is base64 encoded (decoded to bonoud[.]com/get3/install.sh), which leads to the download of an “Update” payload in the .tmp (Temp) directory. 

"The attackers didn’t need to break cryptographic algorithms or exploit zero-day vulnerabilities — they simply needed to exploit human trust and established patterns.”

This payload is Atomic Stealer, an infostealer that’s been around since 2023 and is linked to financially motivated cybercrime groups. 

The campaign’s instructions for victims to copy and paste a command into their Mac terminal is an interesting aspect, as this bears similarities to the popular ClickFix attack technique. ClickFix has increased in popularity as threat actors leverage a combination of social engineering and integrating manual copy and paste instructions into their attacks, particularly in infostealer attacks like Lumma Stealer. Traditional ClickFix attacks (which have been around since 2024) have relied on pages touting “broken” human verification and CAPTCHA checks, before instructing victims to copy and paste commands in the Windows Run dialog box or Windows Terminal in order to “fix” the issue. There have previously been instances of ClickFix targeting Mac users, including one earlier this summer that involved ClickFix-themed delivery websites that typosquatted a U.S.-based cable television company Spectrum, and resulted in a malicious command being copied to user clipboards. This campaign delivered the Atomic stealer.

The use of SEO and fake GitHub pages isn’t new; in fact, a recent campaign in July had markedly similar characteristics to this more recent one. That incident involved a malicious sponsored Google ad for macOS package management system HomeBrew, which pointed to an official-looking GitHub repository for downloading HomeBrew; targets were instructed to copy a bash command, which eventually led to macOS malware.

“The human element here was crucial. Users trust Google Ads,” said Dhiraj Mishra with Deriv in a breakdown of the attack. “They trust GitHub. They trust familiar installation patterns. The attackers didn’t need to break cryptographic algorithms or exploit zero-day vulnerabilities — they simply needed to exploit human trust and established patterns.”

LastPass researchers said they will continue to monitor this more recent campaign; they released Indicators of Compromise (IoCs) linked to the attack in their blog post as well. Decipher has reached out to LastPass to learn more about the extent of the campaign.