Backdoored Go Library Targeting Mac Developers

 

A package named "requests-darwin-lite" to fool Mac users trying to download the extremely popular "requests" library.

Researchers from Phylum have recently published a report detailing a recent campaign which targeted Mac users via the malicious package distributed via PyPI.

Upon installation the package leverages functionality provided by Python's "setuptools" in order to extract and execute a malicious binary written in Go which was steganogaphically encoded into one of the image resources in the package.

Initial analysis suggests that the embedded Go executable is an implant generated by the open source "Sliver" platform which positions itself as an alternative to the commercial software "Cobalt Strike".

The complexity of the attack and the delivery of the exploit may suggest a sponsored attack.