Cybersecurity researchers have raised alarms about an ongoing malicious campaign targeting the Go ecosystem, specifically involving typosquatted modules that are capable of deploying loader malware on Linux and macOS systems. These modules, which impersonate popular and trusted Go libraries, have been identified as part of a concerted effort to infiltrate systems and potentially exploit them, particularly in the financial sector. The threat actor behind this campaign has published at least seven malicious packages, including one github[.]com/shallowmulti/hypert—that seems to be specifically designed to target financial-sector developers.
Despite being hosted on the official Go package repository, most of these malicious packages have already had their corresponding GitHub repositories removed, though they are still available in the package repository itself. This suggests that the attack has been able to persist even after some of its infrastructure has been taken down. T
he discovery of this campaign highlights the growing threat to the Go ecosystem, particularly in terms of supply chain vulnerabilities that allow attackers to leverage trusted systems for malicious purposes.
The malicious packages involved in this campaign are all linked by shared characteristics, most notably the use of obfuscated shell commands and the consistent filenames used across different repositories. The attacker behind this campaign has demonstrated a sophisticated approach to evading detection by implementing delayed execution tactics. Specifically, the malicious code does not immediately retrieve or execute the script from the remote server, instead waiting for an hour after being executed.
This delay is likely meant to bypass initial security checks and make the malware harder to identify in real-time monitoring.
Once activated, the malware attempts to install an executable that could compromise system integrity by stealing sensitive data, credentials, or even allowing remote access to the infected systems. This method of attack is highly concerning because it leverages the trusted nature of package repositories to distribute malicious code, making it difficult for developers to distinguish between legitimate and harmful packages.
The current campaign is also part of a larger trend of software supply chain attacks targeting the Go ecosystem. Socket researchers had previously reported a similar attack targeting the Go package ecosystem about a month earlier. Both attacks rely on similar techniques, including the use of identical filenames, array-based string obfuscation, and delayed execution tactics. These repeated methods suggest that the threat actor is likely the same in both campaigns, with a strategy that has been designed to ensure long-term persistence within the ecosystem.
The malicious packages observed in this recent attack, including shallowmulti/hypert and belatedplanet/hypert, were designed to remain functional even if certain repositories or domains are blacklisted or removed, showcasing the threat actor’s ability to quickly pivot and adapt their infrastructure in response to security measures. This persistent approach to targeting Go developers shows the increasing sophistication of attackers and their ability to adapt to the evolving cybersecurity landscape.
