Skip to content
supplychainattack.orgSupply chain attack incident catalog
resolvedcritical

Malicious code in github.com/ornatedoctrin/layout (Go)

A malicious Go package github.com/ornatedoctrin/layout was identified as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Linux and macOS systems using the affected Go package
Ecosystems
Attack vectors
Affected entities
  • github.com/ornatedoctrin/layoutMalicious typosquatting package

A malicious Go package, github.com/ornatedoctrin/layout, was discovered and reported through the Google Open Source Security advisory system. The package was designed as a typosquatting attack, likely mimicking a legitimate package name to deceive developers into importing it.

The malicious package targeted Linux and macOS systems and operated as a loader mechanism. Upon execution, it would download and run additional malicious payloads, extending the attack surface beyond the initial compromised dependency.

The advisory was published on 2026-07-13 and assigned identifier GHSA-2237-qq4x-m83q. The source severity was rated as critical due to the nature of the payload delivery mechanism and broad platform targeting.

Indicators of compromise

Packages
  • github.com/ornatedoctrin/layout

Remediation

  • Remove the malicious package github.com/ornatedoctrin/layout from all projects and dependencies
  • Audit go.mod and go.sum files for any references to github.com/ornatedoctrin/layout
  • Review systems that may have executed code from this package for signs of compromise or unauthorized payload execution
  • Verify the legitimacy of similar-named Go packages before importing them
  • Use dependency scanning tools to detect typosquatting and malicious packages in your supply chain

Sources

  1. GitHub Advisory GHSA-2237-qq4x-m83q · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/ornatedoctrin/layout (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-ornatedoctrin-layout-go-19dsl6

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    Malicious code in github.com/boltdb-go/bolt (Go)

    github.com/boltdb-go/bolt is a malicious Go package that typosquats the legitimate BoltDB library. It contains a backdoor enabling remote code execution on systems that install it.

    GoTyposquattingCompromised package
  2. resolvedcritical

    Malicious code in github.com/shallowmulti/hypert (Go)

    A malicious Go package github.com/shallowmulti/hypert was published as a typosquatting attack, designed to act as a loader for downloading and executing additional malicious payloads on Linux and macOS systems. The package was identified and reported via the GitHub Advisory Database.

    GoTyposquattingCompromised package
  3. resolvedcritical

    Malicious code in github.com/shadowybulk/hypert (Go)

    A malicious Go package, github.com/shadowybulk/hypert, was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.

    GoTyposquattingCompromised package
  4. resolvedcritical

    Malicious code in github.com/thankfulmai/hypert (Go)

    A malicious Go package github.com/thankfulmai/hypert was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.

    GoTyposquattingCompromised package