Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fake GitHub SEO-poisoning campaign targeting macOS users with Atomic Stealer

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The ongoing information stealer campaign is targeting Apple macOS users through fake GitHub repositories, creating a broad credential-theft risk across multiple impersonated tools. It uses SEO poisoning to push malicious pages to the top of Bing and Google results. Victims are funneled through an "Install LastPass on MacBook" lure and ClickFix-style Terminal commands that deploy Atomic Stealer. The use of multiple GitHub usernames suggests an effort to keep the operation alive after takedowns.

Related Happenings

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

SEO-poisoned GitHub facade campaign targeting enterprise admin tools

Campaign
H score39 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
H score23 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
H score45 First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Timeline

  1. 20.09.2025 10:07 2 articles · 9mo ago

    LastPass warns of fake GitHub repositories targeting macOS

    Initial Disclosure

    LastPass warns of an ongoing information stealer campaign targeting Apple macOS users through fake GitHub repositories that impersonate tools such as 1Password, Dropbox, Notion, and other legitimate software, use SEO poisoning on Bing and Google to surface malicious links, and funnel victims through an "Install LastPass on MacBook" lure into ClickFix-style Terminal commands that deploy Atomic Stealer.

    Show sources