Cybersecurity researchers are warning about a malicious campaign affecting the Go ecosystem, where attackers have created typosquatted modules that deploy loader malware on both Linux and macOS systems. At least seven packages impersonate popular Go libraries, notably targeting financial-sector developers. These fake packages execute remote code through obfuscated shell commands, downloading a harmful script after an hour to minimize the risk of detection. This incident follows a previous supply chain attack within the Go ecosystem, indicating a persistent threat.
The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers.
These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly.
Collection
[
|
...
]