
RESEARCHERS have uncovered a malware campaign dubbed Muck and Load that relied on 222 fraudulent Go packages hosted on GitHub to steal cryptocurrency credentials and install persistent threats on Windows machines.
The malicious module posed as a legitimate DNS scanning tool, triggering a hidden PowerShell command that fetched and executed additional payloads from external servers, delivering trojans, information stealers and cryptominers to victims, as detailed in a recent SecurityWeek report.
Analysis showed the actor published over 1,200 versions of the tainted repositories, with roughly 700 classified as malicious, and many of those repos actually housed the malware binaries themselves while employing obfuscation to slip past script execution policies, according to Socket’s research.
The operation was observed between 10 July 2026 and has primarily targeted developers interested in cryptocurrency and Web3 tooling, although no specific threat actor has been attributed to the activity so far.
Defenders should treat any unexpected Go module as suspect, verify its checksum and provenance before use, monitor endpoints for unexplained PowerShell spawning and block outbound connections to unknown domains that appear in the infection chain.
Organisations can also enforce least‑privilege accounts on developer workstations, enable detailed logging of package manager activity and run regular software composition analysis scans to catch similar supply‑chain abuse in the future.