Devs beware: fake Golang packages target Mac users

An active malware campaign has infiltrated the Golang ecosystem, targeting financial sector developers who prefer to code using Linux or macOS.

The active malware campaign almost exclusively targets the Golang (Go) ecosystem and coders who use macOS or Linux as their primary operating systems, researchers at cybersecurity firm Socket uncovered.

The campaign is sneaky in nature. It relies on typosquatting, a technique that slightly mislabels popular packages, tricking users into believing they’re downloading legitimate content.

So far, at least seven packages impersonating popular Go libraries have been discovered. Some apparently specifically target developers in the financial sector. If successful, the attack could have far-reaching consequences, as libraries are often embedded deep into an app or other tool.

Get our latest stories today on Google News

Follow us

Researchers deemed the attack coordinated and sophisticated, alerting that whoever’s behind it is unlikely to stop. The seven uncovered malicious packages are likely not the only ones, and attackers are likely to add new ones after discovery.

The sophistication element stems from resource-intensive obfuscation and delayed execution techniques. This means that after a developer downloads the malware-infected package, it waits at least one hour to start “silent execution.”

At least four slow and steady stages of command execution and delayed payload deployment need to pass before malware is installed on the local device. By that time, the victim had long forgotten about any mundane download they made.

According to the researchers note, the malicious packages include:

• shallowmulti/hypert
• shadowybulk/hypert
• belatedplanet/hypert
• thankfulmai/hypert
• vainreboot/layout
• ornatedoctrin/layout
• utilizedsun/layout

“As the campaign evolves, proactive measures, such as verifying package integrity, monitoring new repositories, and sharing indicators of compromise, will be essential in mitigating the risk of further supply chain compromises,” the researchers said.

While the tech industry has long deemed macOS systems safer than Windows-based ones, the volume of macOS malware detection has skyrocketed in recent years. According to Palo Alto Networks' Unit 42, a 101% increase in macOS infostealers was observed between the last two quarters of 2024.