Researchers from Socket have identified an ongoing campaign involving at least seven typosquatted Go packages. These packages impersonate well-known Go libraries and are designed to deploy loader malware on Linux and macOS systems.
Typosquatted packages are malicious software components designed to mimic the names of popular, legitimate packages. In the context of Go programming, these packages are created with names that are very similar to widely used Go libraries. The goal is to deceive developers into installing these malicious packages instead of the genuine ones.
According to Socket: “In February 2025, the threat actor released four malicious packages on the Go Module Mirror that impersonate the legitimate github.com/areknoster/hypert library, a popular tool for testing HTTP API clients. These typosquatted clones – github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert – embed concealed functions to enable remote code execution.”
Evading Detection, Adapting Rapidly
The malicious packages contain code that achieves remote code execution by running an obfuscated shell command. This command retrieves and executes a script from a remote server, such as “alturastreet[.]icu,” but only after a delay of about an hour— a delay that likely helps this scourge evade detection by security tools.
The ultimate goal of these attacks is to install and run executable files that can potentially steal sensitive data or credentials. The use of identical filenames and consistent obfuscation techniques suggests a coordinated effort by the threat actors, who are capable of adapting quickly to maintain their operations.
One of the packages, github.com/shallowmulti/hypert, appears to target developers specifically in the financial sector. This indicates that the malefactors may be focusing on high-value targets where data breaches could yield significant financial gains.
The discovery of multiple malicious packages and fallback domains indicates that the threat actors have built an infrastructure designed for longevity. This allows them to pivot and continue their operations even if some domains or repositories are blacklisted or removed.
This campaign highlights the vulnerability of software supply chains to typosquatting attacks. Developers need to be vigilant when installing packages, and package repositories must implement robust security measures to prevent malicious activities of this nature.
Managing Software Risk
“This typosquatting attack is not a new attack vector; however, it still underscores how important it is to manage software risk and verify modules are legitimate before they are integrated into source code.,” comments Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck.
“Verifying packages is usually done by signing them before they are added to a central repository. Any application being developed in Go should be reviewed immediately to be sure the malicious packages are not present and systems have not been compromised.”
Targeting the Financial Sector
The real danger, adds J Stephen Kowski, Field CTO at SlashNext, is that these sophisticated attacks target developers in the financial sector through typo squatting – creating packages with names very similar to legitimate ones – which can lead to widespread data theft when the malicious code executes after a deliberate delay.
Kowski says entities should implement automated scanning tools that can detect typo-squatted packages before installation, verify package integrity through hash validation, and deploy real-time behavioral monitoring to catch suspicious activities even when malware uses delayed execution tactics. “Advanced email security solutions that can identify and block phishing attempts containing links to these malicious packages would provide an additional critical layer of protection.”
Threat actors are increasingly targeting macOS, a trend that reflects a strategic shift by attackers who recognize that macOS users often hold privileged positions within organizations, such as developers and executives, making them high-value targets for credential theft and system compromise, says Kowski. “The use of cross-platform languages like Go allows attackers to efficiently target multiple operating systems simultaneously, making it essential for security teams to implement comprehensive protection across all platforms rather than assuming any operating system provides inherent immunity.”
Particularly Severe for APIs
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, says the typo-squatting risk is particularly severe for APIs, which frequently act as the gateway to sensitive data and essential systems. “To reduce this threat, organizations need to adopt strong security practices, including thorough dependency management, where the origins of all packages are closely examined and verified before being integrated into any project, especially those that involve APIs.”
In addition to managing dependencies, Schwake says a thorough API security strategy is critical. “This involves employing automated security scanning tools to identify suspicious activities and potentially harmful code within API projects, along with performing regular vulnerability evaluations to uncover and rectify vulnerabilities. Educating developers is also vital to equip them with the skills to recognize and sidestep threats such as typosquatting. An established API posture governance program can help institutionalize these initiatives, ensuring security is integrated into every phase of the API lifecycle.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
