Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in github.com/utilizedsun/layout (Go)

Malicious Go package github.com/utilizedsun/layout was identified as a typosquatting attack targeting Linux and macOS systems. The package functions as a loader to download and execute additional malicious payloads.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Linux and macOS systems using the affected Go package
Ecosystems
Attack vectors
Affected entities
  • github.com/utilizedsun/layoutMalicious typosquatting package acting as loader for secondary payload

A malicious Go package, github.com/utilizedsun/layout, was discovered and reported via GitHub Security Advisory GHSA-cvm3-cf32-fx43. The package represents a typosquatting attack designed to target developers on Linux and macOS systems.

The malicious package operates as a loader mechanism, downloading and executing secondary malicious payloads on compromised systems. This two-stage attack pattern increases the risk of follow-on compromise and data exfiltration.

The advisory was published on 2026-07-13 and classified as critical severity by the source. The package has been identified and removed from distribution channels.

Indicators of compromise

Packages
  • github.com/utilizedsun/layout

Remediation

  • Immediately remove github.com/utilizedsun/layout from all projects and dependencies
  • Audit go.mod and go.sum files for presence of this package
  • Review system logs on affected Linux and macOS machines for suspicious activity or secondary payload execution
  • Regenerate any credentials or secrets that may have been exposed on affected systems
  • Monitor for indicators of compromise from the secondary payload
  • Use dependency scanning tools to prevent similar typosquatting packages from being introduced

Sources

  1. GitHub Advisory GHSA-cvm3-cf32-fx43 · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/utilizedsun/layout (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-utilizedsun-layout-go-s80y33

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    Malicious code in github.com/boltdb-go/bolt (Go)

    github.com/boltdb-go/bolt is a malicious Go package that typosquats the legitimate BoltDB library. It contains a backdoor enabling remote code execution on systems that install it.

    GoTyposquattingCompromised package
  2. resolvedcritical

    Malicious code in github.com/shallowmulti/hypert (Go)

    A malicious Go package github.com/shallowmulti/hypert was published as a typosquatting attack, designed to act as a loader for downloading and executing additional malicious payloads on Linux and macOS systems. The package was identified and reported via the GitHub Advisory Database.

    GoTyposquattingCompromised package
  3. resolvedcritical

    Malicious code in github.com/ornatedoctrin/layout (Go)

    A malicious Go package github.com/ornatedoctrin/layout was identified as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.

    GoTyposquattingCompromised package
  4. resolvedcritical

    Malicious code in github.com/shadowybulk/hypert (Go)

    A malicious Go package, github.com/shadowybulk/hypert, was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.

    GoTyposquattingCompromised package