All incidents

Malware campaign spreads via fake Go packages on GitHub

breachopenJul 10, 2026 — Jul 10, 2026
Fake Go Packages Power Malware Network Aimed at Crypto Users

RESEARCHERS have uncovered a malware campaign dubbed Muck and Load that relied on 222 fraudulent Go packages hosted on GitHub to steal cryptocurrency credentials and install persistent threats on Windows machines.

The malicious module posed as a legitimate DNS scanning tool, triggering a hidden PowerShell command that fetched and executed additional payloads from external servers, delivering trojans, information stealers and cryptominers to victims, as detailed in a recent SecurityWeek report.

Analysis showed the actor published over 1,200 versions of the tainted repositories, with roughly 700 classified as malicious, and many of those repos actually housed the malware binaries themselves while employing obfuscation to slip past script execution policies, according to Socket’s research.

The operation was observed between 10 July 2026 and has primarily targeted developers interested in cryptocurrency and Web3 tooling, although no specific threat actor has been attributed to the activity so far.

Defenders should treat any unexpected Go module as suspect, verify its checksum and provenance before use, monitor endpoints for unexplained PowerShell spawning and block outbound connections to unknown domains that appear in the infection chain.

Organisations can also enforce least‑privilege accounts on developer workstations, enable detailed logging of package manager activity and run regular software composition analysis scans to catch similar supply‑chain abuse in the future.

Intelligence briefing updated Jul 10, 2026

Root sourcesocket.dev
Timeline Coverage

Swipe to explore timeline