Cybersecurity experts have issued a warning about an ongoing malicious campaign targeting the Go ecosystem, where typosquatted modules are being used to deploy loader malware on Linux and Apple macOS systems.
According to Socket researcher Kirill Boychenko, “the threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers,” as stated in a recent report.
Boychenko noted that “these packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly.”
Although all the packages are still available on the official package repository, their corresponding GitHub repositories, with the exception of “github[.]com/ornatedoctrin/layout”, are no longer accessible. The list of offending Go packages includes:
- shallowmulti/hypert (github.com/shallowmulti/hypert)
- shadowybulk/hypert (github.com/shadowybulk/hypert)
- belatedplanet/hypert (github.com/belatedplanet/hypert)
- thankfulmai/hypert (github.com/thankfulmai/hypert)
- vainreboot/layout (github.com/vainreboot/layout)
- ornatedoctrin/layout (github.com/ornatedoctrin/layout)
- utilizedsun/layout (github.com/utilizedsun/layout)
Socket’s analysis revealed that the counterfeit packages contain code designed to achieve remote code execution by running an obfuscated shell command to retrieve and run a script hosted on a remote server (“alturastreet[.]icu”). The remote script is not fetched until an hour has elapsed, likely in an attempt to evade detection.
The ultimate goal of the attack is to install and run an executable file that can potentially steal data or credentials.
This disclosure comes a month after Socket revealed another instance of a software supply chain attack targeting the Go ecosystem via a malicious package capable of granting the adversary remote access to infected systems.
According to Boychenko, “the repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly suggests a coordinated adversary who plans to persist and adapt.”
He further noted, “the discovery of multiple malicious hypert and layout packages, along with multiple fallback domains, points to an infrastructure designed for longevity, enabling the threat actor to pivot whenever a domain or repository is blacklisted or removed.”
