Cybersecurity researchers have discovered a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems.
"At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory," Socket security researcher Olivia Brown said.
The list of identified packages is below -
- github.com/stripedconsu/linker
- github.com/agitatedleopa/stm
- github.com/expertsandba/opt
- github.com/wetteepee/hcloud-ip-floater
- github.com/weightycine/replika
- github.com/ordinarymea/tnsr_ids
- github.com/ordinarymea/TNSR_IDS
- github.com/cavernouskina/mcp-go
- github.com/lastnymph/gouid
- github.com/sinfulsky/gouid
- github.com/briefinitia/gouid
The packages conceal an obfuscated loader that harbors functionality to fetch second-stage ELF and portable executable (PE) binaries, which, in turn, can gather host information, access web browser data, and beacon out to its C2 server.
"Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise," Brown said.
Complicating matters is the decentralized nature of the Go ecosystem, which allows modules to be directly imported from GitHub repositories, causing significant developer confusion when searches for a package on pkg.go.dev can return several similarly named modules, although they may not necessarily be malicious in nature.
"Attackers exploit the confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects," Socket said.
It's assessed that the packages are the work of a single threat actor due to C2 reuse and the format of the code. The findings underscore the continued supply chain risks arising from the cross-platform nature of Go to push malware.
The development coincides with the discovery of two npm packages, naya-flore and nvlore-hsc, that masquerade as WhatsApp socket libraries while incorporating a phone number-based kill switch that can remotely wipe developers' systems.
The packages, which have been collectively downloaded over 1,110 downloads, continue to remain available on the npm registry as of writing. Both libraries were published by a user named "nayflore" in early July 2025.
Central to their operations is their ability to retrieve a remote database of Indonesian phone numbers from a GitHub repository. Once the package is executed, it first checks if the current phone is in the database, and, if not, proceeds to recursively delete all files using the command "rm -rf *" following a WhatsApp pairing process.
The packages have also been found to contain a function to exfiltrate device information to an external endpoint, but calls to the function have been commented out, suggesting that the threat actor behind the scheme is signaling ongoing development.
"naya-flore also contains a hardcoded GitHub Personal Access Token that provides unauthorized access to private repositories," security researcher Kush Pandya said. "The purpose of this token remains unclear from the available code."
"The presence of an unused GitHub token could indicate incomplete development, planned functionality that was never implemented, or usage in other parts of the codebase not included in these packages."
Open-source repositories continue to be an attractive malware distribution channel in software supply chains, with the packages designed to steal sensitive information and even targeting cryptocurrency wallets in some cases.
"While overall tactics have not evolved significantly, attackers continue to rely on proven techniques, such as minimizing file count, using installation scripts, and employing discreet data exfiltration methods that maximize impact," Fortinet FortiGuard Labs said.
"A continued rise in obfuscation also further notes the importance of vigilance and ongoing monitoring required by users of these services. And as OSS continues to grow, so too will the attack surface for supply chain threats."
