Researchers have uncovered a campaign targeting macOS users with the Atomic Stealer malware (AMOS). Attackers are setting up GitHub repositories impersonating trusted brands and manipulating SEO to push them high in search results, redirecting victims to AMOS payloads.
LastPass confirmed two repos impersonating its brand went live on September 16 before being taken down. CrowdStrike has also released research uncovering fraudulent ads spreading SHAMOS, a related variant, suggesting the threat family is spreading.
Adam Boynton, senior security strategy manager at Jamf warns that this campaign shows how easily trusted platforms and search signals can be weaponized.
“Infostealers like AMOS and SHAMOS thrive when users are tricked into downloading from fraudulent sources,” he says. “The abuse of GitHub and SEO shows how easily trust signals can be weaponized. Security teams should double down on endpoint visibility and threat telemetry across macOS fleets, while reinforcing that updates and installations only come from official channels. Combining strong user awareness with Apple-native security tooling is the best defense here.”
Article provided with permission from AppleWorld.Today