Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Malicious Go Packages Target Linux and macOS

March 5, 2025
Reading Time: 3 mins read
in Alerts
Malicious Go Packages Target Linux and macOS

Cybersecurity researchers have raised alarms about an ongoing malicious campaign targeting the Go ecosystem, specifically involving typosquatted modules that are capable of deploying loader malware on Linux and macOS systems. These modules, which impersonate popular and trusted Go libraries, have been identified as part of a concerted effort to infiltrate systems and potentially exploit them, particularly in the financial sector. The threat actor behind this campaign has published at least seven malicious packages, including one github[.]com/shallowmulti/hypert—that seems to be specifically designed to target financial-sector developers.

Despite being hosted on the official Go package repository, most of these malicious packages have already had their corresponding GitHub repositories removed, though they are still available in the package repository itself. This suggests that the attack has been able to persist even after some of its infrastructure has been taken down. T

he discovery of this campaign highlights the growing threat to the Go ecosystem, particularly in terms of supply chain vulnerabilities that allow attackers to leverage trusted systems for malicious purposes.

The malicious packages involved in this campaign are all linked by shared characteristics, most notably the use of obfuscated shell commands and the consistent filenames used across different repositories. The attacker behind this campaign has demonstrated a sophisticated approach to evading detection by implementing delayed execution tactics. Specifically, the malicious code does not immediately retrieve or execute the script from the remote server, instead waiting for an hour after being executed.

This delay is likely meant to bypass initial security checks and make the malware harder to identify in real-time monitoring.

Once activated, the malware attempts to install an executable that could compromise system integrity by stealing sensitive data, credentials, or even allowing remote access to the infected systems. This method of attack is highly concerning because it leverages the trusted nature of package repositories to distribute malicious code, making it difficult for developers to distinguish between legitimate and harmful packages.

The current campaign is also part of a larger trend of software supply chain attacks targeting the Go ecosystem. Socket researchers had previously reported a similar attack targeting the Go package ecosystem about a month earlier. Both attacks rely on similar techniques, including the use of identical filenames, array-based string obfuscation, and delayed execution tactics. These repeated methods suggest that the threat actor is likely the same in both campaigns, with a strategy that has been designed to ensure long-term persistence within the ecosystem.

The malicious packages observed in this recent attack, including shallowmulti/hypert and belatedplanet/hypert, were designed to remain functional even if certain repositories or domains are blacklisted or removed, showcasing the threat actor’s ability to quickly pivot and adapt their infrastructure in response to security measures. This persistent approach to targeting Go developers shows the increasing sophistication of attackers and their ability to adapt to the evolving cybersecurity landscape.

 

Reference:
  • Malicious Go Packages Found Targeting Linux and macOS with Loader Malware Threat
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMarch 2025
ADVERTISEMENT

Related Posts

Fake PyPI Login Site Steals Credentials

Fake PyPI Login Site Steals Credentials

September 26, 2025
Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

September 26, 2025
Fake PyPI Login Site Steals Credentials

Hidden WordPress Backdoors Create Admins

September 26, 2025
BadIIS Malware Spreads Via SEO Poisoning

Hackers Target AWS and Steal Credentials

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

SonicWall SMA100 Update Removes Rootkit

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

BadIIS Malware Spreads Via SEO Poisoning

September 24, 2025

Latest Alerts

Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

Hidden WordPress Backdoors Create Admins

Hackers Target AWS and Steal Credentials

SonicWall SMA100 Update Removes Rootkit

BadIIS Malware Spreads Via SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Indian Bank Transfer Records Exposed

    Chinese Cyberspies Hit US Defense Firms

    Neon App Shuts Down After Data Leak

    Boyd Gaming Reports Data Breach After Attack

    Morrisroe UK Company Hit By Cyber Attack

    GeoServer Flaw Breaches US Agency Network

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial