Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
Summary
Hide ▲
Show ▼
Atomic MacOS Stealer (AMOS) is being distributed to macOS users through multiple delivery paths, including fraudulent GitHub repositories, SEO poisoning, malvertising, ClickFix-style terminal prompts, and cracked software lures. The latest reporting adds a related thread in which attackers use cracked versions of legitimate software and ClickFix-style tactics to infect Apple macOS systems, pushing victims toward malicious Terminal commands instead of traditional .dmg installs.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Actions-cool/issues-helper hit by network compromise
Incident
First: 19.05.2026 08:28
Last: 19.05.2026 08:28
Sources 1
About this happening:
The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
Actions-cool/issues-helper hit by network compromise
IncidentAbout this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Timeline
-
12.02.2026 16:25 6 articles · 3mo ago
AMOS distribution via AI-app lures and supply-chain abuse
Technical Analysis UpdateAtomic MacOS Stealer (AMOS) is being distributed to macOS users through AI-app lures, poisoned skill marketplaces, fraudulent GitHub repositories, SEO poisoning, malvertising, and ClickFix-style terminal prompts, with malicious installers and add-ons designed to steal credentials, browser sessions, crypto wallet data, SSH keys, PII, and other sensitive files.
Show sources
- AMOS infostealer targets macOS through a popular AI app — www.bleepingcomputer.com — 12.02.2026 16:25
- AMOS infostealer targets macOS through a popular AI app — www.bleepingcomputer.com — 12.02.2026 16:25
- Bing AI promoted fake OpenClaw GitHub repo pushing info-stealing malware — www.bleepingcomputer.com — 06.03.2026 00:37
- LastPass: Fake password managers infect Mac users with malware — www.bleepingcomputer.com — 22.09.2025 18:36
- Attackers Use Phony GitHub Pages to Deliver Mac Malware — www.darkreading.com — 22.09.2025 22:44
- VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages — thehackernews.com — 05.09.2025 09:13