Researchers at Socket have uncovered a dangerous campaign involving the distribution of at least seven typosquatted Go packages. These malicious packages are disguised as well-known Go libraries and are specifically engineered to deploy loader malware on Linux and macOS systems.
Typosquatting packages are a type of malicious software that is designed to imitate popular and legitimate packages. In the realm of Go programming, these deceptive packages are crafted with names that closely resemble widely used Go libraries. The intention behind these packages is to trick developers into installing the counterfeit versions instead of the authentic ones.
In a recent report by Socket, it was revealed that in February 2025, a threat actor released four malicious packages on the Go Module Mirror posing as the legitimate github.com/areknoster/hypert library. This particular library is a favored tool for testing HTTP API clients. The fraudulent packages – github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert – were found to contain hidden functions that enable remote code execution.
The malicious packages have been designed to execute remote code by initiating an obfuscated shell command. This command retrieves and runs a script from a remote server, such as “alturastreet[.]icu,” with a programmed delay of around an hour. This delay serves to evade detection by security tools, allowing the malware to operate stealthily.
The primary objective of these attacks is to install and execute executable files that have the potential to steal sensitive data and credentials. The consistent use of identical filenames and obfuscation techniques indicates a well-coordinated effort by the threat actors, who are adept at adapting swiftly to sustain their activities.
Of particular concern is one of the packages, github.com/shallowmulti/hypert, which appears to be targeting developers within the financial sector. This suggests that the perpetrators may be focusing on high-value targets where data breaches could result in substantial financial gains.
The presence of multiple malicious packages and backup domains indicates that the threat actors have established an infrastructure that is meant to endure over time. This capability enables them to shift and continue their operations even if certain domains or repositories are blocked or removed.
This campaign underlines the susceptibility of software supply chains to typosquatting attacks. Developers must exercise caution when installing packages, and package repositories must enforce robust security measures to thwart malicious activities of this nature.
According to Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, managing software risk is crucial in combatting such attacks. Verifying the legitimacy of packages before integrating them into source code is essential to mitigate the risk of compromise.
J Stephen Kowski, Field CTO at SlashNext, emphasizes the targeting of developers in the financial sector through sophisticated typo-squatting attacks. Implementing automated scanning tools, verifying package integrity, and deploying real-time behavioral monitoring are recommended to detect and mitigate such threats effectively.
The increasing focus on macOS by threat actors reflects a strategic shift towards targeting high-value individuals within organizations. Cross-platform languages like Go allow attackers to exploit vulnerabilities across multiple operating systems simultaneously, necessitating comprehensive protection measures across all platforms.
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, highlights the heightened risk of typo-squatting attacks for APIs. Organizations are advised to adopt stringent security practices, including thorough dependency management and robust API security strategies, to safeguard against such threats.
In conclusion, the prevalence of typosquatting attacks underscores the importance of vigilance and proactive security measures to safeguard software supply chains and sensitive data from malicious actors. It is crucial for both developers and organizations to stay alert, verify the authenticity of packages, and implement robust security protocols to mitigate the risks posed by such deceptive tactics.