7 Malicious Go Packages Target Linux & macOS to Deploy Stealthy Malware Loader

Security researchers at Socket have uncovered a sophisticated malware campaign targeting the Go ecosystem.

The threat actor has published at least seven malicious packages on the Go Module Mirror, impersonating widely-used Go libraries to install hidden loader malware on Linux and macOS systems.

The malicious packages employ typosquatting techniques to mimic popular libraries such as “hypert” and “layout.”

Four packages (github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert) impersonate the legitimate github.com/areknoster/hypert library, while three others (github.com/vainreboot/layout, github.com/ornatedoctrin/layout, and github.com/utilizedsun/layout) masquerade as the github.com/loov/layout library.

Obfuscation Techniques and Payload Execution

The malicious packages utilize array-based string obfuscation to conceal their true intentions.

Upon import, they execute a hidden function that constructs and runs a shell command to download and execute a remote script.

This script, in turn, fetches and installs an ELF file named “f0eee999” from various domains, including alturastreet[.]icu, host3ar[.]com, and binghost7[.]com.

The ELF file exhibits minimal initial malicious behavior, such as reading /sys/kernel/mm/transparent_hugepage/, suggesting it may be a cryptominer or loader that remains dormant until specific conditions are met.

The malware specifically targets UNIX-like environments, placing developers using Linux and macOS systems at risk.

Coordinated Infrastructure and Persistence

The threat actor demonstrates a high level of coordination and persistence.

The repeated use of identical filenames (a31546bf, f0eee999), consistent obfuscation techniques, and multiple fallback domains indicate an infrastructure designed for longevity.

This setup allows the adversary to pivot quickly when a domain or repository is blacklisted or removed.

The malicious domain alturastreet[.]icu bears a superficial resemblance to alturacu.com, the legitimate online banking portal for Altura Credit Union.

This suggests a potential attempt to exploit brand recognition for typosquatting or spearphishing campaigns targeting financial sector developers.

To protect against these threats, developers should implement real-time scanning tools, conduct thorough code audits, and practice careful dependency management.

Socket recommends using their GitHub app, CLI, or web extension to automatically detect and block typosquatted or malicious packages before they are merged into projects.

Additionally, developers should audit new modules in isolated environments, review commits for anomalies, and scrutinize any package that closely mimics a known library’s name.

Implementing strong endpoint detection and response systems, alongside robust network monitoring, can provide additional layers of defense against such supply chain attacks.

As the Go ecosystem continues to grow, maintaining security requires ongoing vigilance, improved controls, and awareness of how adversaries exploit open source distribution channels.

By adopting these measures and staying informed about emerging threats, developers and organizations can significantly reduce their exposure to supply chain compromises and safeguard their projects against malicious actors.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free