Fake GitHub SEO-poisoning campaign targeting macOS users with Atomic Stealer
Campaign
Summary
Hide ▲
Show ▼
The ongoing information stealer campaign is targeting Apple macOS users through fake GitHub repositories, creating a broad credential-theft risk across multiple impersonated tools. It uses SEO poisoning to push malicious pages to the top of Bing and Google results. Victims are funneled through an "Install LastPass on MacBook" lure and ClickFix-style Terminal commands that deploy Atomic Stealer. The use of multiple GitHub usernames suggests an effort to keep the operation alive after takedowns.
Related Happenings
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
H score39
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
CampaignAbout this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
H score45
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Timeline
-
20.09.2025 10:07 2 articles · 9mo ago
LastPass warns of fake GitHub repositories targeting macOS
Initial DisclosureLastPass warns of an ongoing information stealer campaign targeting Apple macOS users through fake GitHub repositories that impersonate tools such as 1Password, Dropbox, Notion, and other legitimate software, use SEO poisoning on Bing and Google to surface malicious links, and funnel victims through an "Install LastPass on MacBook" lure into ClickFix-style Terminal commands that deploy Atomic Stealer.
Show sources
- LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer — thehackernews.com — 20.09.2025 10:07
- LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer — thehackernews.com — 20.09.2025 10:07