Typosquatting Attack Targets Go Ecosystem with Malicious Modules on Linux and macOS

Cybersecurity researchers have uncovered an ongoing software supply chain attack targeting the Go ecosystem, using typosquatted packages to deploy loader malware on Linux and macOS systems.

Threat Actor Impersonates Popular Go Libraries

According to Socket researcher Kirill Boychenko, a threat actor has published at least seven malicious Go modules, some of which appear to specifically target financial-sector developers. These counterfeit packages mimic widely used Go libraries and employ consistent obfuscation techniques, suggesting a coordinated and adaptable adversary.

List of Malicious Go Packages:

• shallowmulti/hypert (github.com/shallowmulti/hypert)
• shadowybulk/hypert (github.com/shadowybulk/hypert)
• belatedplanet/hypert (github.com/belatedplanet/hypert)
• thankfulmai/hypert (github.com/thankfulmai/hypert)
• vainreboot/layout (github.com/vainreboot/layout)
• ornatedoctrin/layout (github.com/ornatedoctrin/layout)
• utilizedsun/layout (github.com/utilizedsun/layout)

Remote Code Execution & Evasion Techniques

The malicious packages execute obfuscated shell commands that download and run a script from a remote server ("alturastreet[.]icu"). To evade detection, the script is not retrieved until an hour after execution. The attack ultimately deploys an executable that may steal credentials or sensitive data.

Persistent & Adaptive Threat

This campaign follows a previous attack on the Go ecosystem reported by Socket last month. The repeated use of identical filenames, string obfuscation, and delayed execution tactics suggests a persistent adversary with an infrastructure built for longevity. The attacker also employs fallback domains to quickly pivot when a repository or domain is blacklisted.

This discovery underscores the growing risks in open-source ecosystems, emphasizing the need for developer vigilance and supply chain security measures to prevent malicious package infiltration.