Mac users are being cautioned about a sophisticated malware campaign known as Atomic Stealer making rounds on GitHub. This attention-drawing operation involves impostor accounts masquerading as reputable companies such as LastPass and 1Password. Cybersecurity experts have identified these fraudulent GitHub pages, initially detected under the username "modhopmduck476," which cunningly redirect unsuspecting users to a page instructing them to insert a command into the macOS Terminal.
The command executes a curl request to retrieve a base64-encoded URL. This URL decodes to a script located at bonoud.com/get3/install.sh. Once executed, this installs a payload into the system's temporary directory. At the heart of this malicious payload is Atomic Stealer (AMOS), an infostealer that has been actively siphoning credentials and financial data since its emergence in April 2023.
Wider Implications and Impersonations
This campaign doesn't stop at security tools, reaching out deceitfully under the guise of Robinhood, Citibank, Docker, Shopify, and Basecamp as well. This extensive mimicry poses a significant risk as attackers strategically establish numerous GitHub accounts, manipulating search engine optimization to elevate these malicious links within search results. Consequently, users searching for these trusted brands may unintentionally land on fraudulent pages rather than the legitimate counterparts.
LastPass has taken definitive steps in response to this threat. It is attentively monitoring the campaign, working towards prompt takedown of these deceptive accounts, and disseminating critical indicators of compromise to enhance defense efforts.
Mitigation Measures
For Mac users, the advice is centered on enhancing cybersecurity hygiene. Security experts stress the importance of downloading software exclusively from verified, official sources and exercising caution when urged to execute commands from unfamiliar websites. Keeping macOS and related applications updated forms a crucial defense layer.
To further armor personal systems against such threats, using robust antivirus solutions equipped with ransomware protection is recommended. Regular system backups can mitigate potential losses, while utilizing strong and unique passwords, fortified through two-factor authentication, adds an extra security net. Finally, staying informed through monitoring advisories issued by official vendors can be instrumental in preemptive threat identification and neutralization.
Update: 25 Sep 2025
