Cybersecurity researchers have uncovered a harmful Go programming module that impersonates a trusted cryptography library while secretly stealing passwords and deploying a Linux backdoor known as Rekoobe.
The rogue package, published under the path github[.]com/xinfeisoft/crypto, mimics the legitimate Go cryptography repository golang.org/x/crypto. However, instead of providing safe cryptographic utilities, it embeds hidden functionality designed to intercept sensitive data and grant attackers persistent access to infected systems.
Namespace Confusion Enables Supply Chain Attack
According to researchers at Socket, the attack leverages namespace confusion. The official crypto repository identifies go.googlesource.com/crypto as its canonical source, with GitHub acting as a mirror. The threat actor exploited this distinction by creating a lookalike GitHub module that appears legitimate in dependency trees and development workflows.
The malicious code was inserted into the ssh/terminal/terminal.go file. Whenever a victim application calls the ReadPassword function, which is intended to securely capture terminal input such as login credentials, the altered version secretly records the entered passwords.
These harvested secrets are transmitted to a remote server. In response, the compromised system downloads and executes a shell script, initiating the next phase of the intrusion.
Linux Stager Establishes Persistence
The downloaded script acts as a Linux staging component. It appends the attacker’s SSH public key to the /home/ubuntu/.ssh/authorized_keys file, ensuring ongoing access without needing stolen passwords again.
To weaken system defenses, the script modifies iptables firewall rules by setting default policies to ACCEPT, effectively relaxing network restrictions. It also retrieves additional payloads from an external server, disguising them with a .mp5 extension to evade suspicion.
One of the payloads functions as a connectivity checker and loader. It attempts to establish TCP communication with the IP address 154.84.63[.]184 over port 443, likely serving reconnaissance or staging purposes before the final malware is delivered.
Rekoobe Backdoor Deployment
The second payload has been identified as Rekoobe, a Linux trojan active in the wild since at least 2015. Rekoobe allows attackers to execute remote commands, download further malware, steal files, and launch reverse shells for direct interactive control.
The backdoor has previously been associated with Chinese state linked threat groups, including APT31, which reportedly used the malware in operations as recently as August 2023.
Although the malicious module remained visible on pkg.go.dev at the time of discovery, the Go security team has since blocked it after confirming its harmful behavior.
Ongoing Supply Chain Risk
Researchers warn that this campaign highlights a recurring pattern in open source supply chain attacks. By cloning a trusted library name and targeting high value functions such as password input handlers, attackers can gain immediate access to credentials and system control.
Experts caution that similar tactics may soon target other sensitive development components, including SSH utilities, command line authentication libraries, and database connectors. The use of rotating hosting infrastructure and indirect payload retrieval further complicates detection and mitigation.
Organizations are advised to verify dependency sources carefully, monitor unexpected network communications from development environments, and implement strict module integrity checks to reduce exposure to namespace impersonation attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
