We review vendors based on rigorous testing and research, and also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.

Learn more

Advertising Disclosure

Atomic Stealer Malware Spreads Through Fake MacOS Software Pages

Image by Gaby, from Unsplash

Atomic Stealer Malware Spreads Through Fake MacOS Software Pages

Reading time: 2 min

Last Updated: Sep 24, 2025

Written by Kiara Fabbri Former Tech News Writer
Fact-Checked by Sarah Frazier Content Manager

A new large-scale cyberattack is targeting Mac users through fake GitHub pages impersonating well-known companies.

In a rush? Here are the quick facts:

Attackers impersonate companies to trick users into downloading malware.
Fake pages claimed to offer LastPass for macOS.
Campaign also targets tech, finance, and password management firms.

The attackers create fraudulent repositories on GitHub that appear to offer legitimate software for macOS, according to LastPass. . In reality, the downloads redirect victims to a site that installs Atomic Stealer, also known as AMOS malware.

The researchers argued that the malware has been active since April 2023, stealing passwords and financial information from users.

“The threat actors are using Search Engine Optimization (SEO) to deliver links to their malicious sites at the top of search pages, including Bing and Google,” LastPass explained.

LastPass confirmed that its own brand was used in the scam. Two GitHub pages set up on September 16 impersonated LastPass and included links claiming to “Install LastPass on MacBook.”

These redirected users to another malicious page, which then instructed them to run a command in their Mac’s terminal. The command triggered a download that secretly installed the Atomic Stealer malware.

Both of these fake LastPass pages have since been taken down, but the attackers appear to be using multiple GitHub accounts to bypass removals.

“We are writing this blog post to raise awareness of the campaign and protect our customers while we continue to actively pursue takedown and disruption efforts,” LastPass said.

The campaign is not limited to LastPass. The company reports that hackers are attacking multiple business sectors which include technology businesses and financial organizations and password protection services.

The security team at LastPass distributes indicators of compromise (IoCs) to organizations for threat detection while the company tracks the situation and provides additional information.

Kiara Fabbri

Written by: Kiara Fabbri

Hi, I’m Kiara Fabbri a former Tech News Writer at WatchEverywhere. I'm a multimedia journalist with a keen interest in innovative and immersive news storytelling. Fluent in three languages—Italian, English, and Spanish—I'm deeply engaged in all facets of news reporting. I am currently undertaking a Ph.D. exploring VR applications in journalism. Following my studies in psychology (BSc) and political psychology (MSc), I embarked on a three-year journey across South America. During this time, I undertook a 4000 km solo bicycle trip from Chile to Brazil. There, I camped, cooked on the road, and volunteered in various facilities. It was during these travels that I discovered my passion for journalism. Subsequently, I pursued a Master's program in journalism innovation and enterprise. My career in journalism has seen me produce VR immersive experiences covering a range of topics. These include documenting an Anti Militaristic raid of a NATO Base, life in the Brazilian Favelas, the recent violent protest clashes in Buenos Aires and finally social projects run by Skaters in the Argentinian ghettos. In addition to my journalistic endeavours, I also practice parkour, a discipline I have cultivated over several years now. I love to make the most of this skill in my journalistic style; for example, it has enabled me to capture dynamic footage from heights during the recent violent clashes in Buenos Aires. There, I scaled heights and employed a long stick on my camera to create aerial 360° views. Through my dedication to pushing the boundaries of journalism, I am committed to amplifying voices, sparking meaningful conversations, and driving positive change in the world.

Did you like this article? Rate it!

I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot

0 Voted by 0 users

Title

Your email Please enter a valid email address.

Comment

Thanks for your feedback

Share & Support

WatchEverywhere is reader-supported so we may receive a commission when you buy through links on our site. You do not pay extra for anything you buy on our site — our commission comes directly from the product owner. Some providers are owned by our parent company. Learn moreWatch Everywhere was established in 2018 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of cybersecurity researchers, writers, and editors continues to help readers maintain their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, Intego and Private Internet Access which may be ranked and reviewed on this website. The reviews published on Watch Everywhere are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and thorough examination by the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article..