Cybersecurity researchers have discovered a set of 11 malicious GO packages designed to download additional payloads from remote servers and run them on both Windows and Linux systems.
“At runtime, the code quietly generates a shell, pulls two-stage payloads from the exchangeable set of .icu and .tech command-and-control (C2) endpoints and runs them in memory.”
The list of identified packages is as follows:
github.com/stripedconsu/linker github.com/agitatedleopa/stm github.com/expertsandba/opt github.com/wetteepee/hcloud-ip-floater github.com/weightycine/replika github.com/ordinarymea/tnsr_ids github.com/ordinarymea/tnsr_ids github.com/cavernouskina/mcp-go github.com/lastnymph/gouid github.com/sinfulsky/gouid github.com/briefinitia/gouid
The package hides the functional obfuscated loader and retrieves the second stage ELF and portable executable (PE) binaries. This will collect host information, access web browser data, and send Beacon to the C2 server.
“The second stage payload provides a payload with a bash script for Linux systems and retrieves the Windows executable through Certutil.exe, making it easy for both Linux build servers and Windows workstations to compromise,” Brown said.
What complicates the problem is the distributed nature of the GO ecosystem, allowing modules to be imported directly from the GitHub repository, and searching for packages in Pkg.go.go.dev can cause confusion for key developers.
“Attackers exploit the confusion and carefully create namespaces for malicious modules to make them seem trustworthy at a glance, significantly increasing the chances of potential developers inadvertently integrating destructive code into their projects,” says Socket.
The package is rated as a single threat actor’s work in C2 reuse and code form. The findings highlight the continued supply chain risks that arise from the cross-platform nature of Go To Push malware.
This development coincides with the discovery of two NPM packages, Naya-Flore and Nvlore-HSC. It incorporates a phone number-based kill switch that allows developers to wipe remotely wipe their systems.
Packages that are collectively downloaded through 1,110 downloads are still available in the NPM Registry at the time of writing. Both libraries were published in early July 2025 by a user named “Nayflore.”
The core of their operations is their ability to retrieve remote databases of Indonesian phone numbers from GitHub repository. Once the package is run, it first checks if the current phone is in the database, and if not, then recursively deletes all files using the command “RM -RF *” following the WhatsApp pairing process.
We also know that the package contains functions that extend device information to external endpoints, but calls to the function have been commented out, suggesting that the threat actor behind the scheme is signaling ongoing development.
“Naya-Flore also includes a hardcoding Github personal access token that provides unauthorized access to private repositories,” said security researcher Kush Pandya. “The purpose of this token remains unknown from the available code.”
“The presence of unused Github tokens may indicate incomplete development, planned features, or use in other parts of the codebase that are not included in these packages.”
Open source repositories continue to be an attractive malware delivery channel in the software supply chain, designed to steal sensitive information and, in some cases, target cryptocurrency wallets.
“While the overall tactics have not evolved much, attackers continue to rely on proven techniques, such as minimizing file counts, using installation scripts, and using modest data stripping methods to maximize impact,” says Fortinet Fortiguard Labs.
“The continuous increase in obfuscation also further points to the importance of vigilance and continuous monitoring required by users of these services, and as OSS continues to grow, so is the attack surface due to supply chain threats.”
Source link
