Socket researchers have identified an active, malicious campaign penetrating the Go ecosystem with typosquatted packages. These packages deliver hidden loader malware that targets Linux and macOS systems.
The malicious actor behind this campaign has released a minimum of seven packages impersonating popular Go libraries, including one that targets developers in the financial sector. The packages have repeated malicious filenames and share obfuscation tactics, indicating the threat actor behind them is coordinated and capable of pivoting.
In February 2025, the malicious actor published four packages on the Go Module Mirror, mimicking legitimate tool for testing HTTP API clients. The typosquatted mimics have concealed functions embedded to allow remote code execution. Their end goal is to steal data and credentials.
Below, security leaders discuss the campaign and offer advice for organizational defense.
Security leaders weigh in
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck:
This typosquatting attack is not a new attack vector, however, it still underscores how important it is to manage software risk and verify modules are legitimate before they are integrated into source code. Verifying packages is usually done by signing them before they are added to a central repository. Any application being developed in Go should be reviewed immediately to be sure the malicious packages are not present, and systems have not been compromised.
Rom Carmel, Co-Founder and CEO at Apono:
The real danger is not just about the macOS operating system: Attackers are following where cloud infrastructure gets built — not just where data sits. If you’re shipping software or infrastructure-as-code to the cloud, your CI/CD pipelines and developer environments are the new frontline. The rise in supply chain attacks targeting macOS and Linux developers isn’t a coincidence — it’s a strategic shift by attackers toward where infrastructure is built and managed. One approach to protect these is implementing JIT access controls that disrupt these attack chains by ensuring that developer credentials and privileged access aren’t an open door waiting to be exploited.
J Stephen Kowski, Field CTO at SlashNext Email Security+:
The real danger is that these sophisticated attacks target developers in the financial sector through typo squatting — creating packages with names very similar to legitimate ones — which can lead to widespread data theft when the malicious code executes after a deliberate delay. Organizations should implement automated scanning tools that can detect typo squatted packages before installation, verify package integrity through hash validation, and deploy real-time behavioral monitoring to catch suspicious activities even when malware uses delayed execution tactics. Advanced email security solutions that can identify and block phishing attempts containing links to these malicious packages would provide an additional critical layer of protection.
Threat actors are increasingly targeting macOS, with malware attacks against Apple systems rising by 101% in recent quarters as their adoption in corporate environments grows. This trend reflects a strategic shift by attackers who recognize that macOS users often hold privileged positions within organizations, such as developers and executives, making them high-value targets for credential theft and system compromise. The use of cross-platform languages like Go allows attackers to efficiently target multiple operating systems simultaneously, making it essential for security teams to implement comprehensive protection across all platforms rather than assuming any operating system provides inherent immunity.
Eric Schwake, Director of Cybersecurity Strategy at Salt Security:
This campaign focused on the Go ecosystem and revealed a significant threat posed by typosquatted packages to software supply chains, particularly for companies that depend on APIs developed with Go. The true risk comes from the capability of these malicious packages to penetrate legitimate projects, which can compromise systems and lead to data breaches or the activation of backdoors. This risk is particularly severe for APIs, which frequently act as the gateway to sensitive data and essential systems. To reduce this threat, organizations need to adopt strong security practices, including thorough dependency management, where the origins of all packages are closely examined and verified before being integrated into any project, especially those that involve APIs.
In addition to managing dependencies, a thorough API security strategy is critical. This involves employing automated security scanning tools to identify suspicious activities and potential harmful code within API projects, along with performing regular vulnerability evaluations to uncover and rectify vulnerabilities. Educating developers is also vital to equip them with the skills to recognize and sidestep threats such as typosquatting. An established API posture governance program can help institutionalize these initiatives, ensuring security is integrated into every phase of the API lifecycle. By embracing a proactive security approach that includes API-specific protections, organizations can enhance the safeguarding of their systems and data from the evolving threats aimed at software supply chains and APIs, thereby maintaining the integrity and security of their API ecosystem.