Mac malware SEO poisoning campaign using phony GitHub repositories
Campaign
Summary
Hide ▲
Show ▼
A Mac malware campaign is using SEO poisoning and phony GitHub repositories to push Atomic infostealer (AMOS) to Mac users, making search results a delivery path for malware. The fake pages impersonate legitimate software and direct victims to run a malicious terminal command. The operation has reached companies in the technology and financial sectors and included lures created on Sept. 16.
Related Happenings
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Claude Code leak GitHub Vidar lure campaign
Campaign
First: 02.04.2026 23:30
Last: 02.04.2026 23:30
Sources 1
About this happening:
A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...
Claude Code leak GitHub Vidar lure campaign
CampaignAbout this happening: A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...
OpenClaw fake installer GitHub campaign promoted by Bing AI
Campaign
First: 06.03.2026 00:37
Last: 06.03.2026 00:37
Sources 1
About this happening:
A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
OpenClaw fake installer GitHub campaign promoted by Bing AI
CampaignAbout this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
Latest development: 09.03.2026 20:31
A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
How related:
That code, at least in the case of the fake LastPass pages, leads to the download and execution of the Atomic infostealer (also known as AMOS).
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityHow related: That code, at least in the case of the fake LastPass pages, leads to the download and execution of the Atomic infostealer (also known as AMOS).
About this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
First: 04.02.2026 09:42
Last: 04.02.2026 09:42
Sources 1
About this happening:
**macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacOS infostealer campaign using fake ads and ClickFix lures
CampaignAbout this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
Timeline
-
22.09.2025 22:44 1 articles · 8mo ago
Fake GitHub repositories created to deliver AMOS
Exploitation ObservedThreat actors created fake GitHub listings on Sept. 16 for repositories such as "LastPass Premium on MacBook," filling the pages with MacOS-related terminology and a terminal command that led Mac users to download and execute Atomic infostealer (AMOS).
Show sources
- Attackers Use Phony GitHub Pages to Deliver Mac Malware — www.darkreading.com — 22.09.2025 22:44
-
18.09.2025 03:00 2 articles · 8mo ago
LastPass TIME discloses SEO-poisoned GitHub campaign
Initial DisclosureOn Sept. 18, LastPass TIME described an emerging campaign using SEO poisoning and phony GitHub pages to deliver Atomic infostealer (AMOS) to Mac users, saying the activity targeted companies across the technology and financial sectors, including LastPass, and that the fake sites were submitted for takedown and were no longer active.
Show sources
- Attackers Use Phony GitHub Pages to Deliver Mac Malware — www.darkreading.com — 22.09.2025 22:44
- Attackers Use Phony GitHub Pages to Deliver Mac Malware — www.darkreading.com — 22.09.2025 22:44