In early February, threat researchers with developer-focused security platform provider Socket detailed a three-year-old typosquatting campaign in which bad actors targeted developers with a backdoor that impersonated a widely used database module written in the Go programming language.
A month later, the researchers are out with a report of another campaign in which the threat actor is using typosquatted Go packages, this time to get developers to inadvertently install malware loaders onto systems running Linux and macOS operating systems.
According to Kirill Boychenko, a senior threat intelligence analyst with Socket, the cybercriminal has published at least seven malicious packages on the Go Module Mirror caching service and impersonating popular Go libraries, including one that seems to target developers in the financial sector.
“These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly,” Boychenko wrote in a report.
In typosquatting, bad actors put names on malicious files that are similar to popular legitimate files in the hope that a developer makes an error typing the name of the legitimate file or some similar kind of misstep and mistakenly lands on the malicious file instead. If the developer imports it and incorporates into their code, the malware is spread downstream.
Exploiting Go’s Repository
All code repositories – from GitHub’s repositories to Python’s PIP package manager – have to deal with typosquatting of images, modules, code, libraries, and package, Mitch Ashley, vice president and practice lead at The Futurum Group, told DevOps. Go likewise is susceptible, but there also are some reasons that are unique to the language.
The Go Module Mirror is one reason. The distributed central repository ” makes it quicker and easier for developers to pull down modules by distributed cached modules to every mirror,” Ashley said. “There can be caching and update delayers, allowing developers to use compromised modules even though updates may be available in the central node.”
“Unless explicitly triggered by a developer, the cache may be outdated and have a compromised module cached,” he said. “And the time to down module updates from the central repository to a cache can be lengthy. Go also uses URLs for imports, which are susceptible to misspelled or incorrect URLs, just as websites are susceptible to typosquatting.”
He compared that to Rust, another popular newer language that he says is maintained by a safety- and security-conscious community. Cargo, Rust’s package manager, is a build manager and package manager in one, which simplifies the building of software and managing of dependencies. The packages in Cargo – called “crates” – come a a single central repository.
“Rust is particularly good for high performance and for reducing vulnerabilities in code, particularly memory protection, that are strictly enforced at compile time,” the analyst said. “That said, Rust crates are not immune to malware.”
Seven Malicious Packages
In late February, the threat actor released four malicious packages on the Go Module Mirror that impersonate github.com/areknoster/hypert library, which is popular with developers for testing HTTP API clients. The typosquatted files include functions that allow for remote code execution.
Three other packages impersonate the layout library, which is used in UI development.
One variant in the hypert library includes a malicious domain that refers to “alturastreet” and includes an unconventional top-level domain (TLD), .icu. It resembles the domain for Altura Credit Union, which is a legitimate online banking portal and uses the more traditional .com TLD.
“This discrepancy suggests a calculated effort to mislead or confuse potential victims,” Boychenko wrote. “The threat actor may be leveraging brand recognition around ‘Altura’ for typosquatting or spearphishing campaigns specifically targeting Altura Credit Union users. The deliberate domain choice, unconventional TLD and clear tie-in to malicious payloads illustrate the threat actor’s intent to exploit a reputable financial brand name, posing a notable security risk.”
Obfuscation and Evasion
The bad actor has included obfuscation techniques to make it difficult to detect. Once the developer or CI/CD environment imports the package, the payload runs silently. It eventually executes a script from a remote server, which waits for an hour to further evade detection before installing a payload that can steal sensitive data and credentials. Once launched, it initially shows little malicious behavior.
“Because it depends on common Linux utilities like /bin/sh, wget, and bash, the campaign specifically targets UNIX-like environments (Linux and macOS), placing developers using these systems at risk,” he wrote.
Aiming for Persistence
It doesn’t appear that the bad actor plans to go anywhere, according to Boychenko.
“The repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly suggests a coordinated adversary who plans to persist and adapt,” he wrote. “The discovery of multiple malicious hypert and layout packages, along with multiple fallback domains, points to an infrastructure designed for longevity, enabling the threat actor to pivot whenever a domain or repository is blacklisted or removed.”
In addition, the threat actor’s ability to upload malicious packages indicates that similar tactics will get into the Go ecosystem. He recommended developers adopt real-time scanning tools, code audits and dependency management to protect against typosquatting and obfuscated payloads.
“As the campaign evolves, proactive measures, such as verifying package integrity, monitoring new repositories and sharing indicators of compromise, will be essential in mitigating the risk of further supply chain compromises,” he wrote.
