Linux, macOS users infected with malware posing as legitimate Go packages

In a new typosquatting campaign, threat actors are seen using malicious Go packages posing as popular libraries to install malware on unsuspecting Linux and macOS systems.

Researchers from the software supply chain cybersecurity platform, Socket, found seven packages impersonating widely used Go libraries like Hypert and Layout to trick developers.

“These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly,” Socket researchers said in a blog post.

Typosquatting is a technique attackers use to create malicious websites, domains, or software packages with names that closely resemble legitimate ones. By exploiting common typing errors or slight variations, attackers trick users into downloading malware, revealing sensitive information, or installing harmful software.

Removal of the said malicious packages from the Go Module Mirror has been requested, along with the flagging of associated Github repositories and user accounts, the post added.

Typosquatting Hypert, Layout for RCE and more

According to the discovery, the attackers cloned the popular “hypert” library developers use for testing HTTP API clients, releasing four fake versions embedded with remote code execution functions. Typosquatting clones used included-github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert.

One particular package,“—–shallowmulti/hypert”, executed shell commands to download and run a malicious script from a typo variation (alturastreet[.]icu.) of the legitimate banking domain alturacu.com.

Three additional packages were found impersonating the legitimate “layout” library with clones — github.com/vainreboot/layout,github.com/ornatedoctrin/layout, and github.com/utilizedsun/layout.

These packages executed hidden shell commands to download and run malicious scripts for fetching and executing the ultimate ELF-based malware on Linux and macOS systems.

Campaign is tailor-made for persistence 

The repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly suggests a coordinated adversary who plans to persist and adapt, the researchers added.

The presence of multiple malicious Hypert and Layout packages along with several fallback domains also suggests a resilient infrastructure. This setup will allow threat actors to adapt quickly, ensuring continued operations even if a domain or repository is blacklisted or taken down.

“Given the threat actor’s demonstrated ability to upload malicious packages, there is a strong reason to suspect that similar tactics, techniques, and procedures (TTPs) will continue infiltrating the Go ecosystem,” the researchers noted. Few things that developers can do to outsmart the campaign include adopting real-time scanning tools, code audits, and careful dependency management against typosquatting attempts.