LastPass has issued a warning about a new campaign targeting macOS users with malicious software disguised as popular apps, delivered through fraudulent GitHub repositories.
The attackers are spreading the Atomic (AMOS) info-stealing malware through “ClickFix” attacks, promoted using search engine optimization (SEO) tactics on Google and Bing. AMOS is a malware-as-a-service operation that costs $1,000 per month and is designed to steal sensitive data. Recently, its developers added a backdoor feature that gives hackers persistent and stealthy access to compromised systems.
According to LastPass, the campaign impersonates over 100 well-known apps, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub repositories are optimized to rank high in search results, making them appear legitimate.
Victims who click the “download button” on these repositories are redirected to another site and instructed to paste a command into the macOS Terminal. This is a classic ClickFix technique, where users unknowingly download a payload (install.sh) from a base64-encoded URL, which installs AMOS into the /tmp directory.
Security experts note that these types of attacks aren’t new. In the past, campaigns have impersonated services like Booking.com or used ads to push fake macOS fixes. Despite LastPass reporting the fake repositories, new ones keep appearing quickly through automated account creation.
To stay safe, users are advised to only download apps from official websites and avoid running unfamiliar commands in Terminal. If a macOS version of software isn’t available on the developer’s official page, chances are any “unofficial” variant is fake.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
