A malicious Go module, disguised as a legitimate crypto library, has been discovered by Socket researchers that harvests passwords and deploys the Rekoobe Linux backdoor. The module, found at github.com/xinfeisoft/crypto, exploits namespace confusion to appear routine in dependency graphs. This discovery highlights a sophisticated supply chain attack targeting developers, based on information published by The Hacker News.The compromised Go module injects malicious code into the "ssh/terminal/terminal.go" file, specifically within the "ReadPassword()" function. This allows it to capture sensitive credentials entered by users at terminal password prompts and send them to a remote endpoint. Upon successful exfiltration, the module fetches and executes a shell script. This script acts as a Linux stager, adding a threat actor's SSH key to the "authorized_keys" file, loosening firewall restrictions by setting iptables policies to ACCEPT, and downloading further payloads.One of these payloads is a reconnaissance or loader program, while the other is the Rekoobe backdoor, a known Linux trojan active since at least 2015 and previously attributed to Chinese nation-state groups like APT31. The Go security team has since blocked the malicious package.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds




