Thursday, May 8, 2025
Homecyber security7 Malicious Go Packages Target Linux & macOS to Deploy Stealthy Malware...

7 Malicious Go Packages Target Linux & macOS to Deploy Stealthy Malware Loader

Published on

SIEM as a Service

Follow Us on Google News

Security researchers at Socket have uncovered a sophisticated malware campaign targeting the Go ecosystem.

The threat actor has published at least seven malicious packages on the Go Module Mirror, impersonating widely-used Go libraries to install hidden loader malware on Linux and macOS systems.

The malicious packages employ typosquatting techniques to mimic popular libraries such as “hypert” and “layout.”

- Advertisement - Google News

Four packages (github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert) impersonate the legitimate github.com/areknoster/hypert library, while three others (github.com/vainreboot/layout, github.com/ornatedoctrin/layout, and github.com/utilizedsun/layout) masquerade as the github.com/loov/layout library.

 Stealthy Malware Loader
malicious layout packages

Obfuscation Techniques and Payload Execution

The malicious packages utilize array-based string obfuscation to conceal their true intentions.

Upon import, they execute a hidden function that constructs and runs a shell command to download and execute a remote script.

This script, in turn, fetches and installs an ELF file named “f0eee999” from various domains, including alturastreet[.]icu, host3ar[.]com, and binghost7[.]com.

The ELF file exhibits minimal initial malicious behavior, such as reading /sys/kernel/mm/transparent_hugepage/, suggesting it may be a cryptominer or loader that remains dormant until specific conditions are met.

The malware specifically targets UNIX-like environments, placing developers using Linux and macOS systems at risk.

Coordinated Infrastructure and Persistence

The threat actor demonstrates a high level of coordination and persistence.

The repeated use of identical filenames (a31546bf, f0eee999), consistent obfuscation techniques, and multiple fallback domains indicate an infrastructure designed for longevity.

This setup allows the adversary to pivot quickly when a domain or repository is blacklisted or removed.

The malicious domain alturastreet[.]icu bears a superficial resemblance to alturacu.com, the legitimate online banking portal for Altura Credit Union.

This suggests a potential attempt to exploit brand recognition for typosquatting or spearphishing campaigns targeting financial sector developers.

To protect against these threats, developers should implement real-time scanning tools, conduct thorough code audits, and practice careful dependency management.

Socket recommends using their GitHub app, CLI, or web extension to automatically detect and block typosquatted or malicious packages before they are merged into projects.

Additionally, developers should audit new modules in isolated environments, review commits for anomalies, and scrutinize any package that closely mimics a known library’s name.

Implementing strong endpoint detection and response systems, alongside robust network monitoring, can provide additional layers of defense against such supply chain attacks.

As the Go ecosystem continues to grow, maintaining security requires ongoing vigilance, improved controls, and awareness of how adversaries exploit open source distribution channels.

By adopting these measures and staying informed about emerging threats, developers and organizations can significantly reduce their exposure to supply chain compromises and safeguard their projects against malicious actors.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...