Cybersecurity researchers have identified 11 malicious Go packages engineered to download and execute additional payloads from remote servers on both Windows and Linux platforms.
The list of identified packages is below –
- github.com/stripedconsu/linker
- github.com/agitatedleopa/stm
- github.com/expertsandba/opt
- github.com/wetteepee/hcloud-ip-floater
- github.com/weightycine/replika
- github.com/ordinarymea/tnsr_ids
- github.com/ordinarymea/TNSR_IDS
- github.com/cavernouskina/mcp-go
- github.com/lastnymph/gouid
- github.com/sinfulsky/gouid
- github.com/briefinitia/gouid
The packages contain an obfuscated loader designed to retrieve second-stage ELF and Portable Executable (PE) binaries. These binaries are capable of collecting host information, accessing web browser data, and communicating with a command-and-control (C2) server.
According to Brown, the second-stage payload targets both Linux and Windows systems—delivering a bash-scripted payload for Linux and retrieving Windows executables using certutil.exe. This makes both Linux build servers and Windows workstations vulnerable to compromise.
A major contributing factor is the decentralized structure of the Go ecosystem, which permits modules to be imported directly from GitHub repositories. This often causes confusion among developers, as searches on pkg.go.dev can return numerous similarly named modules that aren’t necessarily malicious.
“Attackers take advantage of this confusion by crafting malicious modules with names that appear trustworthy, increasing the chances of developers unintentionally including harmful code in their projects,” said security firm Socket.
Researchers believe the malicious Go packages originate from a single threat actor, based on similarities in code structure and shared command-and-control (C2) infrastructure. The findings highlight persistent supply chain risks driven by Go’s cross-platform capabilities, which attackers are leveraging to distribute malware.
This discovery coincides with the exposure of two malicious npm packages – naya-flore and nvlore-hsc -which masquerade as WhatsApp socket libraries. These packages feature a kill switch triggered by phone number checks, capable of remotely wiping a developer’s system.
Despite accumulating over 1,110 downloads, both packages remain available on the npm registry at the time of writing. Published by a user named “nayflore” in early July 2025, the packages download a database of Indonesian phone numbers from a GitHub repository. If the system’s phone number isn’t in the list, the package initiates a recursive deletion of all files via the rm -rf * command after pairing with WhatsApp.
Additionally, the packages include a function designed to exfiltrate device information to an external server. While the function is currently commented out, it suggests active development by the threat actor.
Security researcher Kush Pandya also revealed that naya-flore contains a hardcoded GitHub Personal Access Token, which grants unauthorized access to private repositories. The intent behind the token remains unclear based on the current code.
The presence of an unused GitHub token may point to unfinished development, planned features that were never implemented, or possible use in other parts of the code not included in the current packages.
Open-source repositories remain a popular vector for malware distribution within software supply chains. These malicious packages are often designed to steal sensitive data, and in some cases, even target cryptocurrency wallets.
“While attackers haven’t drastically changed their overall tactics, they continue to rely on effective techniques—such as reducing the number of files, leveraging installation scripts, and using stealthy data exfiltration methods to maximize their reach,” noted Fortinet FortiGuard Labs.
FortiGuard also emphasized the growing use of obfuscation, highlighting the critical need for users to maintain vigilance and continuously monitor dependencies. As open-source software adoption expands, so does the potential attack surface for supply chain threats.
Leave A Comment