Ongoing Malware Campaign Targets Go Ecosystem with Typosquatted Packages

Cybersecurity researchers are raising alarms about a sophisticated and ongoing malicious campaign that targets the Go programming ecosystem. Attackers are distributing typosquatted modules designed to deploy loader malware on Linux and macOS systems, potentially compromising developers and organizations.

Typosquatting: A Growing Threat in Software Supply Chains

Typosquatting is a common tactic used in software supply chain attacks, where attackers create malicious packages with names similar to legitimate libraries. These counterfeit packages trick developers into unintentionally installing and using them in their applications, leading to unauthorized remote access, data theft, or malware deployment.

According to Socket researcher Kirill Boychenko, the latest attack targets widely used Go libraries, with at least seven malicious packages identified. One package, github[.]com/shallowmulti/hypert, appears to specifically target financial-sector developers, highlighting the sophistication and potential impact of the campaign.

List of Malicious Go Packages Identified

The attack campaign includes the following counterfeit Go modules:

• shallowmulti/hypert (github.com/shallowmulti/hypert)

• shadowybulk/hypert (github.com/shadowybulk/hypert)

• belatedplanet/hypert (github.com/belatedplanet/hypert)

• thankfulmai/hypert (github.com/thankfulmai/hypert)

• vainreboot/layout (github.com/vainreboot/layout)

• ornatedoctrin/layout (github.com/ornatedoctrin/layout)

• utilizedsun/layout (github.com/utilizedsun/layout)

Although these malicious packages remain available on the official Go package repository, their corresponding GitHub repositories—except for ornatedoctrin/layout—have already been removed.

How the Attack Works

Socket’s analysis found that the infected packages contain obfuscated code that facilitates remote code execution (RCE). The malware executes a shell command that retrieves and runs a remote script hosted on a malicious server (alturastreet[.]icu).

To evade detection, the malware employs delayed execution tactics—the script is not fetched immediately but only after an hour. This allows the package to bypass some security measures that rely on quick behavioral analysis.

Final Payload: Data Theft & Credential Harvesting

The ultimate objective of the attack appears to be the installation of an executable file that can:

• Exfiltrate sensitive data

• Steal login credentials

• Provide persistent access for attackers

An Expanding Threat Landscape

This disclosure comes just a month after Socket reported another supply chain attack targeting the Go ecosystem. That incident involved a malicious package designed to grant remote access to infected systems, emphasizing a growing trend of persistent and well-coordinated adversaries targeting developers.

Key Indicators of a Coordinated Attack

According to Boychenko, the attack displays signs of a highly coordinated threat actor:

• Use of identical filenames across different packages

• Obfuscated code to conceal malicious payloads

• Delayed execution techniques to evade immediate detection

• Multiple fallback domains to maintain persistence even if blacklisted

“The discovery of multiple malicious hypert and layout packages, along with multiple fallback domains, points to an infrastructure designed for longevity," Boychenko noted. "This enables the threat actor to pivot whenever a domain or repository is blacklisted or removed."

Protecting Against Supply Chain Attacks

Developers and organizations using Go libraries are strongly advised to:

1. Carefully review dependencies before installing them.

2. Verify package authenticity by checking the official GitHub repository and maintainers.

3. Monitor software supply chains for suspicious updates or unexpected package changes.

4. Use security tools such as dependency scanners to detect malicious code.

5. Regularly audit projects to remove unnecessary or untrusted dependencies.

Conclusion

The increasing use of typosquatting in supply chain attacks underscores the importance of vigilance and proactive security measures when managing dependencies in software projects. As threat actors continue to adapt, developers must prioritize code security to protect their systems from compromised packages in widely used ecosystems like Go.