Socket, a software supply chain security solutions provider, has brought to light a disturbing trend in the world of cybersecurity. Malicious actors are now targeting developers within the Go programming language network, using a technique known as typosquatting to distribute malware disguised as legitimate Go packages. These packages are designed to install hidden malware loaders on Linux and macOS systems, posing a significant threat to users.
The investigation conducted by Socket revealed that at least seven deceptive packages were published on the Go Module Mirror, a central repository for Go modules. These packages impersonate popular libraries like “hypert” for testing HTTP API clients and “layout” for UI development. In particular, the “hypert” package seems to be aimed at developers in the financial sector.
The malicious “hypert” package contains concealed functions that enable remote code execution. Once imported into a project, the malicious code silently downloads and executes a script from a remote server, which then installs an executable file capable of stealing sensitive data or credentials. To evade detection, the attackers use array-based string obfuscation to hide malicious commands within the code. They also incorporate a time delay in the malicious script, waiting for an hour before fetching the final payload to bypass immediate security measures.
Furthermore, the attackers employ domain typosquatting to deceive users by creating malicious domains that resemble legitimate websites, especially those related to financial institutions. By exploiting users’ trust in familiar names and brands, the attackers aim to trick users into downloading malware.
The attackers also reuse similar payloads and filenames across different domains and IP addresses, indicating a coordinated and persistent effort. Researchers have identified a connection between the ELF file f0eee999 and the script a31546bf, suggesting broader trends in malware distribution.
Socket’s research underscores the growing risks associated with software supply chain attacks, emphasizing the need for developers to be vigilant when incorporating external packages into their projects. Real-time scanning tools, browser extensions, code audits, and careful dependency management practices are essential to mitigate the risk of malware infiltration. Developers are encouraged to verify package integrity, monitor new repositories, and share indicators of compromise within the community.
In response to these developments, Thomas Richards, Principal Consultant at Black Duck, emphasized the importance of managing software risk and verifying the legitimacy of modules before integrating them into source code. He highlighted the need for immediate reviews of all applications developed in Go to ensure they are free from malicious packages and that systems have not been compromised.
Overall, the typosquatting campaign delivering malware via malicious Go packages poses a significant threat to the cybersecurity landscape. Developers must take proactive measures to protect their projects and mitigate the risks associated with software supply chain attacks.