GitHub Clones and SEO Tricks Deliver Mac Infostealer

A widespread campaign is targeting macOS users with the Atomic Stealer malware by creating fraudulent GitHub repositories that impersonate legitimate software. Threat actors are using search engine optimization (SEO) poisoning to ensure these malicious pages rank highly in search results, luring unsuspecting users. When a user clicks a link, they are taken through a multi-stage redirection process that ultimately tricks them into running a terminal command. This command downloads the infostealer, which is designed to exfiltrate sensitive data like passwords, browser credentials, and cryptocurrency wallet information. Security researchers have identified and are working to take down these fake repositories, but warn users to be cautious and verify software sources.