Cybersecurity researchers have uncovered a malicious Go module that impersonates a widely used cryptographic library in an attempt to steal passwords, establish persistent SSH access, and deploy a Linux backdoor known as Rekoobe. The discovery highlights ongoing risks in open source ecosystems, where dependency confusion and namespace impersonation can expose developers and organizations to supply chain compromises.
The malicious package, hosted at github.com/xinfeisoft/crypto, is designed to mimic the legitimate golang.org/x/crypto repository. According to findings shared by Socket security researcher Kirill Boychenko, the threat actor exploited subtle differences between the official Go cryptography project and its GitHub mirror to make the fraudulent module appear authentic in dependency graphs. The legitimate project identifies go.googlesource.com/crypto as its canonical source, with GitHub serving as a mirror, a nuance that attackers leveraged to make the fake repository seem routine and trustworthy. Once integrated into a project, the altered module injects malicious code into the ssh/terminal/terminal.go file. Specifically, it modifies the ReadPassword function, which developers commonly use to capture sensitive input such as terminal passwords. Instead of simply reading user input securely, the compromised function exfiltrates captured secrets to a remote endpoint controlled by the threat actor. After transmitting the stolen data, the module retrieves a shell script from the same remote source and executes it on the affected system.
The downloaded shell script acts as a Linux stager, enabling further compromise. It appends an attacker controlled SSH key to the /home/ubuntu/.ssh/authorized_keys file to ensure persistent access. In addition, the script modifies iptables default policies to ACCEPT, effectively loosening firewall restrictions and increasing exposure. It then proceeds to fetch additional payloads from an external server, disguising them with a .mp5 file extension to evade casual detection. One of the retrieved payloads functions as a helper utility that tests internet connectivity and attempts communication with the IP address 154.84.63.184 over TCP port 443. Researchers believe this component likely serves as a reconnaissance tool or loader to prepare the environment for further operations. The second payload has been identified as Rekoobe, a Linux trojan active in the wild since at least 2015. Rekoobe is capable of receiving commands from an attacker controlled server, downloading supplementary malware, stealing files, and executing reverse shell commands to grant remote control of infected systems.
Rekoobe has previously been linked to advanced threat activity, including campaigns attributed to Chinese nation state groups such as APT31, which used the backdoor as recently as August 2023. Although the malicious module remains visible on pkg.go.dev at the time of reporting, the Go security team has taken action to block the package as malicious. Researchers warn that this type of attack pattern is relatively simple to execute yet highly effective. By targeting high value functions like ReadPassword in credential handling libraries and using platforms such as GitHub Raw to rotate infrastructure without republishing code, attackers can maintain operational flexibility while minimizing detection. Security experts advise organizations to carefully audit dependencies, verify module origins against canonical sources, and monitor for unexpected outbound connections or changes to SSH configuration files. The incident underscores the need for continuous vigilance across software supply chains, particularly when integrating widely trusted open source components into production environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
