CYBERSECURITY researchers have disclosed a malicious Go module, github[.]com/xinfeisoft/crypto, designed to harvest passwords, gain persistent SSH access, and deploy a Linux backdoor named Rekoobe. The module impersonates the legitimate golang[.]org/x/crypto codebase, exfiltrating secrets entered at terminal password prompts to a remote endpoint and then executing a downloaded script that acts as a Linux stager.
The backdoor is implemented by placing code in the ssh/terminal/terminal[.]go ReadPassword() flow to capture interactive secrets, while the downloaded script appends an attacker’s SSH key to /home/ubuntu/.ssh/authorized_keys, loosens firewall rules via iptables, and fetches further payloads disguised with the .mp5 extension.
Among the payloads, one tests connectivity to 154.84.63[.]184 over TCP port 443, and the other delivers Rekoobe, a known Linux trojan capable of receiving commands, downloading more payloads, stealing files and initiating a reverse shell; Rekoobe has been linked to APT31 activity as recently as August 2023.
According to Socket security researcher Kirill Boychenko, the Go package remains listed on pkg.go[.]dev, and the Go security team has blocked it as malicious, while defenders are urged to anticipate similar supply-chain attacks targeting credential-related libraries.