In recent weeks, the security community has given the alarm for a campaign that exploits confidence in the Go ecosystem supply chain. Researchers have identified a malicious module hosted in GitHub that impersonates the official bookstoregolang.org / x / cryptoand that introduces code to capture passwords, open persistent access by SSH and finally deploy a backdoor on Linux systems.
The detected repository, located in github.com / xinfeisoft / crypto and still visible in pkg.go.dev, take advantage of the confusion between space names and the usual practice of treating GitHub as a mirror of Go's subrepositories. According to the Socket team, the malicious actor exploits precisely this ambiguity so that the dependence seems legitimate in the unit graphs and goes unnoticed in surface reviews; you can read the complete analysis on the Socket blog Here..
What makes the malicious code is simple and particularly dangerous: it modifies the file equivalent to the terminal implementation for the function that reads passwords in hidden mode. Each time an application invokes that routine to request sensitive inputs, the module intercepts it from the user and sends it to a server controlled by the attacker. This information is not left in the repository: the module then gets from an external resource a shell script that acts as an initial intrusion stage.
That downloaded script works as a manager typical: add the attacker's SSH key to the user's authorization file (e.g., / home / ubuntu / .ssh / authorized _ keys), try to relax firewall policies to facilitate incoming communications and download additional charges disguised with the .mp5extension. One such charge seems to be a small assistance program that verifies connectivity and tries to talk to a remote server in the direction of 154.84.63.184 through the TCP 443 port; its behavior fits that of a recognition component or charger that prepares the ground for later phases.
The second burden is particularly worrying: it is Rekoobe, a Trojan for Linux known for years. There are public records and analysis that document the presence of Rekoobe since at least 2015, and technical publications have detailed how this backdoor allows you to run remote commands, download new binaries, steal files and set reverse shells. Several reports have related their variants to groups linked to espionage operations, including state-motivated actors; you can consult research on Rekoobe in sources such as Dr. Web, Smart technical analysis TechEvo.
This case illustrates two dangerous vectors combined: on the one hand the supplanting of a high-value module - one that resides at a critical point such as reading passwords in console - and on the other the use of dynamic hosting (raw.githubusercontent.com and external resources) as a rotation mechanism for malicious infrastructure. According to the researchers, this pattern is cheap to implement for the attackers and with high impact, so we are likely to see imitations that point to other libraries responsible for handling credentials: SSH auxiliaries, CLI prompts for authentication or database connectors, among others.
The community and the users of the Go ecosystem have reacted by blocking the malicious package at known checkpoints, but the incident serves as a reminder: the mere presence of a module in a public index does not guarantee its integrity. Transitional units can open critical gaps, and teams must assume that any interface that touches secrets deserves additional protection.
For developers and security officials this involves, among other things, validating and setting unit versions, carefully reviewing changes in third-party modules that interact with credentials, using proxies and sum verification mechanisms (go.sum) and monitoring security alerts on impersonated packages. It is also important to audit external supply channels (scripts downloaded by curl) 124; sh, contained in raw.githubusercontent.com, etc.) and to reduce confidence in unsigned and unchecked downloads.
In short, the episode is a call to strengthen hygiene practices in the software supply chain: when a bookstore touches the edge where secrets are treated, a small malicious modification can quickly become a complete intrusion. The publications of the research teams and the repositories that document these campaigns are valuable resources for understanding the technique and better preparation; consult the Socket report for technical details and examples of how the campaign was conducted Here., and the analysis on Rekoobe if you want to deepen the capabilities of the backdoor in the field in the previous links.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...