Malicious Typosquatted Go Packages Deploy Malware Loader on Linux and macOS
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Socket has published a blog detailing an ongoing malicious campaign targeting the Go ecosystem. Researchers uncovered multiple typosquatted packages that install a stealthy malware loader on Linux and macOS systems. The blog highlights that the threat actor has released at least seven deceptive packages impersonating popular Go libraries, including github.com/shallowmulti/hypert, which appears to focus on financial-sector developers.
These packages share recurring malicious filenames and similar obfuscation techniques, suggesting a well-coordinated operation with the ability to pivot quickly. As of now, the packages remain available on the Go Module Mirror. Socket has requested their removal and reported the associated GitHub repositories and user accounts.
Technical Details
Socket's blog reveals that in February 2025, a threat actor uploaded four typosquatted Go packages on the Go Module Mirror, impersonating the legitimate github.com/areknoster/hypert library—a widely used tool for testing HTTP API clients. These counterfeit packages— github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert—contain hidden functions designed to facilitate remote code execution.
In github.com/shallowmulti/hypert, the function qcJjJne() stealthily executes a shell command that retrieves and runs a remote script from alturastreet[.]icu. Similarly, github.com/shadowybulk/hypert decodes to https://host3ar[.]com/storage/de373d0df/a31546bf, while both github.com/thankfulmai/hypert and github.com/belatedplanet/hypert connect to https://binghost7[.]com/storage/de373d0df/a31546bf. In the shallowmulti/hypert variant, the malware executes automatically upon installation, ensuring the payload is deployed without user intervention.
To evade detection, the code utilizes array-based string obfuscation, where the malicious command is split into an array of single-character strings and reconstructed using a nonsequential index pattern. This technique helps bypass basic static detection methods that rely on straightforward string matching, making it harder for security tools to flag the threat.
Typosquatted Domains
The domain alturastreet[.]icu closely resembles alturacu.com, the legitimate online banking portal for Altura Credit Union. The slight variation in naming, combined with an unconventional .icu TLD, suggests an intentional effort to deceive users—possibly for typosquatting or phishing attacks targeting Altura Credit Union customers. The malicious code retrieves a remote script from alturastreet[.]icu, piping it directly into bash for execution. Once triggered, it installs the f0eee999 ELF binary, which delays execution for an hour— likely to evade detection—before making itself executable and running if no active process is found.
The malware's early-stage behavior, including reading /sys/kernel/mm/transparent_hugepage/, aligns with the characteristics of a cryptominer or loader. This attack specifically targets UNIX-like systems, relying on standard Linux utilities like /bin/sh, wget, and bash to ensure compatibility. Developers and CI/CD pipelines importing the infected packages unknowingly activate the malware.
Another f0eee999 sample was identified at 185.100.157[.]127/storage/de373d0df/, following the same execution logic. The uniformity in execution steps suggests the attacker is distributing similar payloads across different domains and IP addresses, all within the /storage/de373d0df/ directory. Security researcher Mads Hougesen previously observed f0eee999 and a31546bf in suspicious GitHub repositories posing as legitimate projects. Despite different infection methods—GitHub repositories versus Go Module packages—the filenames, obfuscation tactics, and payload remain consistent, indicating a coordinated and persistent threat campaign.
Additional malicious packages
Further investigation uncovered three additional malicious packages impersonating the legitimate github.com/loov/layout library. These packages—github.com/vainreboot/layout, github.com/ornatedoctrin/layout, and github.com/utilizedsun/layout—use the same array-based obfuscation to construct a concealed shell command. Once executed, the command downloads and runs the a31546bf script.
The script retrieves the f0eee999 ELF binary from sharegolem[.]com and binghost7[.]com, executing it after a deliberate delay. This execution pattern mirrors previous findings, reinforcing the connection between these packages and earlier malicious activity.
The timing of these packages' release, between January and February 2025, aligns with the previously identified typosquatted Go modules. The repeated use of filenames (a31546bf, f0eee999), identical obfuscation methods, and silently executed shell commands confirm that these packages are part of the same coordinated supply chain attack orchestrated by this threat actor.
Conclusion
This campaign underscores the growing risks of supply chain attacks within open-source ecosystems. By typosquatting legitimate Go libraries, the threat actor increases the likelihood of unsuspecting developers and CI/CD environments executing malicious payloads. The use of obfuscated commands, delayed execution, and recurring filenames across multiple packages and domains indicates a coordinated effort to evade detection and maintain persistence.
The consistent tactics and rapid deployment of new malicious packages highlight the need for enhanced vigilance in dependency management. Developers and organizations should implement strict package validation, automated security scanning, and monitoring of unusual behaviors to mitigate risks. As attackers refine their techniques, proactive threat intelligence and swift removal of compromised packages remain essential to defending against software supply chain compromises.
