An ongoing campaign has infiltrated the Go ecosystem with at least seven typosquatted packages that install hidden loader malware that primarily target Linux and macOS systems in the financial sector.These packages share repeated malicious filenames and consistent obfuscation techniques, which suggest a coordinated threat actor capable of pivoting rapidly, according to a March 4 blog by Socket researchers.“Given the threat actor’s demonstrated ability to upload malicious packages, there’s a strong reason to suspect that similar tactics, techniques, and procedures will continue infiltrating the Go ecosystem,” wrote the Socket researchers. “Developers should remain vigilant, adopting real-time scanning tools, code audits, and careful dependency management to guard against typosquatting and obfuscated malicious payloads.”Stephen Kowski, Field CTO at SlashNext Email Security, explained that these sophisticated attacks target developers in the financial sector through typosquatting — creating packages with names very similar to legitimate ones — which can lead to widespread data theft when the malicious code executes after a deliberate delay.“Threat actors are increasingly targeting macOS, with malware attacks against Apple systems surging by 101% in recent quarters as their adoption in corporate environments grows,” said Kowski. “This trend reflects a strategic shift by attackers who recognize that macOS users often hold privileged positions within organizations, such as developers and executives, making them high-value targets for credential theft and system.”Kowski said organizations should implement automated scanning tools that can detect typosquatted packages before installation, verify package integrity through hash validation, and deploy real-time behavioral monitoring to catch suspicious activities even when malware uses delayed execution tactics.Eugene Rojavski, security research group manager at Checkmarx, said the number of detected attacks on Go modules has been rising of late. Just a month ago, attackers pulled a nice trick with the way Go modules are cached and managed to spread a tainted typosquatted version of a popular boltbd package.Rojavski said typosquatting is as effective for Go as for other languages. Even though Go modules are not stored in a package repository like PyPI or npm and reside in GitHub, the attackers can still create Github repositories with typosquatted names and flood go.pkg.dev with malware.“Saying that the campaign targets the financial sector based on the likeliness of a domain used for loading one of the malware stages sounds a bit like a stretch,” said Rojavski. “Usually, typosquatting is a widespread attack by targeting ransom users unless certain packages are known to be heavily used by some company. Malware spread by malicious packages is becoming increasingly sophisticated, divided into stages, obfuscated, and evading detection."Thomas Richards, principal consultant, network and red team practice director at Black Duck, added that this typosquatting attack is not a new attack vector. However, Richards said it still underscores how important it is to manage software risk and verify modules are legitimate before they are integrated into source code. “Verifying packages is usually done by signing them before they are added to a central repository,” said Richards. “Any application being developed in Go should be reviewed immediately to be sure the malicious packages are not present, and systems have not been compromised.”
