Our Gallery

Contact Info

Twitter Facebook-f Linkedin-in Instagram

Cyber Blog

blog
0 Comments

Malicious Go Packages Discovered Deploying Malware on Linux and macOS

Attackers Use Typosquatting to Target Developers, Particularly in Finance

Cybersecurity researchers have uncovered an ongoing supply chain attack targeting the Go ecosystem, where typosquatted modules are being used to distribute loader malware on Linux and macOS systems.

According to Kirill Boychenko, a researcher at Socket, at least seven malicious Go packages have been identified, with one—github[.]com/shallowmulti/hypert—appearing to target financial-sector developers.

“These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly,” Boychenko stated in a new report.

The Malicious Go Packages

While the infected packages remain available on the official Go package repository, their corresponding GitHub repositories—except for github[.]com/ornatedoctrin/layout—have been removed. The affected packages include:

  • shallowmulti/hypert (github.com/shallowmulti/hypert)
  • shadowybulk/hypert (github.com/shadowybulk/hypert)
  • belatedplanet/hypert (github.com/belatedplanet/hypert)
  • thankfulmai/hypert (github.com/thankfulmai/hypert)
  • vainreboot/layout (github.com/vainreboot/layout)
  • ornatedoctrin/layout (github.com/ornatedoctrin/layout)
  • utilizedsun/layout (github.com/utilizedsun/layout)

How the Attack Works

The malicious packages contain remote code execution (RCE) capabilities, executing an obfuscated shell command to download and run a script from a remote server—alturastreet[.]icu. To evade detection, the script is designed to delay execution by an hour before fetching the payload.

Once executed, the malware installs a malicious executable that could be used for stealing sensitive data or credentials.

A Persistent Threat

This discovery follows a previous Go ecosystem attack disclosed by Socket last month, where malicious packages enabled remote access to infected machines.

Boychenko highlighted that repeated use of identical filenames, string obfuscation, and delayed execution techniques suggest a highly coordinated adversary. The infrastructure behind the attack appears built for longevity, allowing attackers to quickly adapt and pivot when domains or repositories are blacklisted.

Given the increasing frequency of supply chain attacks in open-source ecosystems, developers are urged to verify package sources and monitor dependencies for suspicious activity.