An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since September 2025. The attack flow begins with a Google search, leading to a fraudulent GitHub repository, then to a GitHub Pages site with a deceptive command. This command deploys the MacSync stealer in three stages: a loader, a dropper, and the final payload. MacSync aggressively harvests credentials from browsers, cloud services, and cryptocurrency wallets. The campaign's scale includes 39 identified malicious repositories, with 24 still active as of January 2026. Evasion tactics include using 'readme-only' repositories and distributed identities.