Hacker Targets Mac Users Looking for LastPass Downloads on Search Engines

The password manager warns users about Google and Bing search results for LastPass and other apps that lead to GitHub pages containing malware.

By Michael Kan

A hacker is trying to infect Mac users with malware by exploiting internet searches for password managers and other apps, including LastPass. 

LastPass is warning users about the threat, which involves deceptive download links appearing on search engines like Google and Microsoft’s Bing. The links forward users to pages on GitHub, a popular platform for hosting software projects, including free, open-source programs. LastPass itself has an official page on GitHub. 

(Credit: LastPass)

It looks like a hacker tried to exploit this by creating two fake GitHub pages for the Mac version of LastPass. But in reality, it was a scheme designed to trick users into installing the Atomic malware, which can steal passwords and cryptocurrency details from a user’s browser. 

(Credit: LastPass)

According to LastPass, the malicious GitHub pages appear if you search Google for “lastpass github macos." The GitHub pages then try to redirect users to another domain at “macprograms-pro[.]com/mac-git-2-download.html” to fool users into installing the actual malware. 

The hacker uses search engine optimization techniques to elevate the GitHub pages on Google and Bing search results. It's unclear what those techniques are, but creating a network of fake web pages that link to the malicious GitHub pages and using specific keywords can elevate a domain to a search result. 

The hacker behind the attack also tried to exploit searches for a wide number of Mac-related apps. “This campaign appears to be targeting a range of companies, including tech companies, financial institutions, password managers, and more,” LastPass added.

The other products targeted include stock trading app Robinhood, 1Password, free audio editor Audacity, and video editor Davinci Resolve for Macs. 

The good news is that the malicious GitHub pages appear to have been taken down. Still, if you search for "lastpass github macos," you can still find one of the malicious GitHub pages near the top of the results. The incident is a reminder that it's best to download apps from official domains and app stores.