Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fake GitHub SEO-poisoning campaign targeting macOS users with Atomic Stealer

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The ongoing information stealer campaign is targeting Apple macOS users through fake GitHub repositories, creating a broad credential-theft risk across multiple impersonated tools. It uses SEO poisoning to push malicious pages to the top of Bing and Google results. Victims are funneled through an "Install LastPass on MacBook" lure and ClickFix-style Terminal commands that deploy Atomic Stealer. The use of multiple GitHub usernames suggests an effort to keep the operation alive after takedowns.

Related Happenings

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

SEO-poisoned GitHub facade campaign targeting enterprise admin tools

Campaign
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

Timeline

  1. 20.09.2025 10:07 2 articles · 8mo ago

    LastPass warns of fake GitHub repositories targeting macOS

    Initial Disclosure

    LastPass warns of an ongoing information stealer campaign targeting Apple macOS users through fake GitHub repositories that impersonate tools such as 1Password, Dropbox, Notion, and other legitimate software, use SEO poisoning on Bing and Google to surface malicious links, and funnel victims through an "Install LastPass on MacBook" lure into ClickFix-style Terminal commands that deploy Atomic Stealer.

    Show sources
    Open in new tab