When looking for a reliable tool to protect your passwords, the last thing you expect is to fall into a trap designed to steal your data. But that’s exactly what’s happening. LastPass has issued a warning about a new campaign targeting macOS users, where cybercriminals impersonate password managers and other popular programs to spread malware.
At TecnetOne, we’ll explain how this threat works, which software is being faked, and what steps you can take to avoid becoming a victim.
What’s Happening with Fake Password Managers?
Attackers are creating fraudulent GitHub repositories that look official. They host supposed versions of well-known apps, but what they actually deliver is a malware called Atomic Stealer (AMOS).
This malicious tool is part of a Malware-as-a-Service (MaaS) operation, available on underground forums for $1,000/month. Its main goal is to steal sensitive data from infected machines—including login credentials, cookies, browsing history, and even cryptocurrency wallet details.
The campaign uses search engine optimization (SEO) techniques to push these fake repositories to the top of Google or Bing results, increasing the chances of luring victims.
Malicious Google Search result (Source: LastPass)
How the Attack Works
The attack follows a method known as ClickFix, where users are tricked into running a command in macOS Terminal without understanding its consequences.
Here’s how it happens:
- You search for software like LastPass, 1Password, or Notion on Google.
- A top result leads you to a legit-looking GitHub repository.
- The page includes a “Download” button.
- That button redirects to a separate website with Terminal instructions.
- You’re told to copy-paste a command into Terminal.
That command silently uses curl to download a malicious install.sh file into your /tmp folder. Once executed, AMOS installs itself and starts exfiltrating your data.
Read more: NimDoor: Malware for macOS that reinstalls itself after being removed
Software and Services Being Imitated
The campaign doesn’t stop at LastPass. According to the report, attackers have created fake versions of over 100 applications, including:
- Password managers like 1Password
- Cloud and collaboration platforms: Dropbox, Notion, Confluence
- Financial apps: Robinhood, Fidelity, Gemini
- Creative tools: Adobe After Effects, Audacity
- Email clients: Thunderbird
- Even cybersecurity solutions like SentinelOne
Everything appears legitimate—GitHub pages, branding, and installation instructions—all designed to build trust.
GitHub repository claiming affiliation with LastPass (Source: LastPass)
Why AMOS Is So Dangerous
While Atomic Stealer was already known in cybersecurity circles, its developers recently added a persistent backdoor—making it even more dangerous.
Not only does it steal your data, but it also gives attackers ongoing, stealthy access to your Mac. They can install more malware or use your device as a launchpad for broader attacks.
Page hosting the ClickFix instructions (Source: LastPass)
Similar Campaigns in the Past
ClickFix-style attacks on macOS aren't new. Past campaigns used fake ads to promote bogus solutions to system errors or impersonated legitimate brands like Booking.com.
What makes this campaign stand out is its scale and execution: over 100 programs spoofed and a well-executed SEO strategy to reach thousands of users.
Learn more: North Korean Hackers Use Deepfakes on Zoom to Infect Macs
How to Protect Yourself
At TecnetOne, we always stress: prevention is your first line of defense. Here’s what you can do:
- Download only from official websites. If you're looking for an app, go straight to the vendor’s site. Don’t trust top search results blindly.
- Never run Terminal commands you don’t fully understand.
- Verify GitHub repositories. Look for signs of authenticity like verified accounts, contributor history, and follower count.
- Keep your Mac up to date with the latest macOS and app security patches.
- Use a reputable security solution. At TecnetOne, we partner with trusted vendors to detect suspicious behavior and data exfiltration.
- Enable two-factor authentication (2FA). If your credentials are stolen, this second layer could stop an attacker in their tracks.
What to Do If You Think You’re Infected
If you ever copied a Terminal command from a suspicious GitHub page, here’s what to do:
- Immediately disconnect your Mac from the internet.
- Run a malware scan with a trusted security tool.
- Change all your passwords using another clean device.
- Monitor your banking and crypto accounts for suspicious activity.
- Consider a clean reinstall of macOS, especially if a persistent backdoor is suspected.
Final Thoughts
Cybercriminals are getting more creative and opportunistic. This campaign combines SEO manipulation, fake GitHub repositories, and Terminal-based installation—making it easy to fall for if you're not cautious.
At TecnetOne, we believe the best defense is digital awareness: learn to spot red flags, verify sources, and never run what you don’t understand.
The fake LastPass campaign (and more than 100 other apps) is a clear reminder that even Mac users aren’t immune. The idea that macOS is “safe by default” no longer holds up.
Cybersecurity isn’t about fear—it’s about smart prevention. If you follow best practices, you can enjoy the full power of your Mac without becoming an easy target.
