A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. The packages download and execute remote scripts that install an ELF file named f0eee999, which exhibits minimal initial malicious behavior. The campaign specifically targets UNIX-like environments, placing developers at risk. Multiple domains and fallback infrastructure suggest a persistent and adaptable threat actor. Developers are advised to implement real-time scanning tools, code audits, and careful dependency management to mitigate the risk of supply chain compromises.