7 Malicious Go Packages Target Linux & macOS to Deploy Stealthy Malware Loader

Security researchers at Socket have uncovered a sophisticated malware campaign targeting the Go ecosystem.

The threat actor has published at least seven malicious packages on the Go Module Mirror, impersonating widely-used Go libraries to install hidden loader malware on Linux and macOS systems.

The malicious packages employ typosquatting techniques to mimic popular libraries such as “hypert” and “layout.”

Four packages (github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert) impersonate the legitimate github.com/areknoster/hypert library, while three others (github.com/vainreboot/layout, github.com/ornatedoctrin/layout, and github.com/utilizedsun/layout) masquerade as the github.com/loov/layout library.

Obfuscation Techniques and Payload Execution

The malicious packages utilize array-based string obfuscation to conceal their true intentions.

Upon import, they execute a hidden function that constructs and runs a shell command to download and execute a remote script ...