LastPass, a leader in password and identity management trusted by over 100,000 businesses worldwide, has uncovered a widespread cyberattack campaign targeting MacOS users. The campaign, detected by the company’s Threat Intelligence, Mitigation, and Escalation (TIME) team, involves fraudulent GitHub repositories impersonating trusted companies, including LastPass itself, to spread the Atomic Stealer (AMOS) malware.
LastPass identifies a cyberattack targeting Mac users via fake GitHub pages.
Attackers used SEO manipulation to lure victims into downloading malware.
Fraudulent repos impersonated trusted companies, including LastPass.
The malware, Atomic Stealer, is designed to steal sensitive information.
LastPass swiftly reported and took down the fraudulent GitHub repositories.
Indicators of Compromise (IoCs) published to aid wider threat mitigation.
The attackers created GitHub pages falsely claiming to host legitimate MacOS applications from companies such as LastPass. Through aggressive Search Engine Optimization (SEO) tactics, these malicious repositories appeared prominently in search results on platforms like Google and Bing. Unsuspecting users who clicked the links were redirected to malicious websites instructing them to execute terminal commands, which ultimately installed the Atomic Stealer malware.
The Atomic Stealer (AMOS) malware, active since at least April 2023, is linked to financially motivated cybercrime groups. Once deployed, it harvests sensitive data from infected systems, including login credentials and personal information, posing a significant risk to both individuals and organizations.
“Protecting our users is our highest priority,” said Alex Cox, Director of the Threat Intelligence, Mitigation, and Escalation (TIME) team at LastPass. “We acted swiftly to identify and report the fraudulent GitHub pages impersonating LastPass, which have since been taken down. We continue to monitor this campaign and collaborate with industry partners to disrupt its infrastructure.”
The TIME team acted quickly to remove the fraudulent repositories and continues to track the threat actors behind the campaign. LastPass has shared Indicators of Compromise (IoCs) with the wider security community to help organizations detect and neutralize related attacks.
LastPass urges users to remain cautious and avoid downloading software from unofficial sources. By maintaining vigilance and verifying trusted download channels, users can significantly reduce exposure to malware campaigns like Atomic Stealer.
For more information and ongoing updates, visit the LastPass Labs Blog.
LastPass is a leading identity and password manager, making it easier to log in to life and work. Trusted by 100,000 businesses and millions of users, LastPass combines advanced security with effortless access for individuals, families, small business owners, and enterprise professionals.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.