MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since September 2025. The attack flow begins with a Google search, leading to a fraudulent GitHub repository, then to a GitHub Pages site with a deceptive command. This command deploys the MacSync stealer in three stages: a loader, a dropper, and the final payload. MacSync aggressively harvests credentials from browsers, cloud services, and cryptocurrency wallets. The campaign's scale includes 39 identified malicious repositories, with 24 still active as of January 2026. Evasion tactics include using 'readme-only' repositories and distributed identities.

Pulse ID: 69772ba9dd9a67872ce009f7
Pulse Link: https://otx.alienvault.com/pulse/69772ba9dd9a67872ce009f7
Pulse Author: AlienVault
Created: 2026-01-26 08:54:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #GitHub #Google #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #SEOPoisoning #Windows #bot #cryptocurrency #AlienVault