Cybersecurity researchers have issued a warning about a new malicious campaign targeting the Go ecosystem. The attackers employ a technique known as typosquatting, crafting counterfeit modules that inject malware into devices running Linux and macOS.
Experts at Socket have identified no fewer than seven fraudulent packages masquerading as popular Go libraries. One such package, github[.]com/shallowmulti/hypert, appears to be aimed at developers in the financial sector. Analysis reveals that all the malicious modules share recurring file names and similar code obfuscation techniques, suggesting the involvement of a coordinated threat group capable of rapidly adapting its tactics.
Despite these malicious packages remaining available in Go’s official repository, their corresponding GitHub repositories—except for github[.]com/ornatedoctrin/layout—have been taken down. The discovered threats include:
- shallowmulti/hypert (github.com/shallowmulti/hypert)
- shadowybulk/hypert (github.com/shadowybulk/hypert)
- belatedplanet/hypert (github.com/belatedplanet/hypert)
- thankfulmai/hypert (github.com/thankfulmai/hypert)
- vainreboot/layout (github.com/vainreboot/layout)
- ornatedoctrin/layout (github.com/ornatedoctrin/layout)
- utilizedsun/layout (github.com/utilizedsun/layout)
Researchers determined that these malicious modules contain code enabling remote command execution. This is achieved through an obfuscated command line that downloads and executes a script from a remote server (alturastreet[.]icu). Notably, the script is retrieved only an hour after execution, allowing the attackers to evade detection mechanisms.
The ultimate objective of the attack is the deployment of an executable file capable of exfiltrating sensitive user data or credentials.
This campaign comes just a month after researchers uncovered a similar threat in the Go ecosystem, where a malicious package granted threat actors remote access to compromised systems.
Experts emphasize that the attackers systematically leverage identical file names, string obfuscation within arrays, and delayed payload execution—clear indicators of their intent to maintain persistence within infected environments. The presence of multiple domains and alternative repositories further suggests a well-structured infrastructure designed for swift adaptation in response to takedowns or countermeasures.
