Malicious code in github.com/vainreboot/layout (Go)
A malicious Go package github.com/vainreboot/layout was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.
- Disclosed
- Last updated
- Blast radius
- Any developer or system that imported github.com/vainreboot/layout
- Ecosystems
- Attack vectors
- Affected entities
- github.com/vainreboot/layoutMalicious Go package used as loader for secondary payload
A malicious Go package named github.com/vainreboot/layout was identified and published to the Go ecosystem. The package was designed as a typosquatting attack, likely mimicking a legitimate package name to deceive developers into importing it.
The malicious package targeted Linux and macOS systems and functioned as a loader mechanism. Upon execution, it would download and run additional malicious payloads, enabling secondary compromise of affected systems.
The incident was identified and disclosed via GitHub Security Advisory GHSA-cgwf-hvg3-395v. The package has been removed from the public repository.
Indicators of compromise
- Packages
- github.com/vainreboot/layout
Remediation
- Audit all dependencies in Go projects for the presence of github.com/vainreboot/layout and remove it immediately
- Review git history and build logs for any execution of this package
- Regenerate any credentials or secrets that may have been exposed on affected systems
- Scan affected systems for indicators of the secondary payload that may have been downloaded
- Verify the integrity of all binaries built with this dependency
- Use dependency scanning tools to prevent similar typosquatting attacks in the future
Sources
- GitHub Advisory GHSA-cgwf-hvg3-395v · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/vainreboot/layout (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-vainreboot-layout-go-119rp4
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malicious code in github.com/boltdb-go/bolt (Go)
github.com/boltdb-go/bolt is a malicious Go package that typosquats the legitimate BoltDB library. It contains a backdoor enabling remote code execution on systems that install it.
GoTyposquattingCompromised package - resolvedcritical
Malicious code in github.com/shallowmulti/hypert (Go)
A malicious Go package github.com/shallowmulti/hypert was published as a typosquatting attack, designed to act as a loader for downloading and executing additional malicious payloads on Linux and macOS systems. The package was identified and reported via the GitHub Advisory Database.
GoTyposquattingCompromised package - resolvedcritical
Malicious code in github.com/ornatedoctrin/layout (Go)
A malicious Go package github.com/ornatedoctrin/layout was identified as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.
GoTyposquattingCompromised package - resolvedcritical
Malicious code in github.com/shadowybulk/hypert (Go)
A malicious Go package, github.com/shadowybulk/hypert, was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.
GoTyposquattingCompromised package