Malicious Actors Exploit Go’s Open-Source Ecosystem with Backdoored Crypto Module
In a concerning development for software developers and companies alike, malicious actors have found a way to exploit Go’s open-source ecosystem by deploying a backdoored cryptography module. This nefarious package is designed specifically to steal passwords and to install a Rekoobe Linux backdoor on development and continuous integration (CI) environments. The implications of this development could be extensive, threatening the security and integrity of numerous software projects.
The malicious package resembles Go’s trusted cryptography library so closely that it may easily go unnoticed in code repositories. It mirrors legitimate components like argon2, bcrypt, and ssh, allowing it to seamlessly blend into dependency graphs. This disguise is not merely superficial; it is part of a calculated strategy by the threat actor to mask their intentions and operations, making the module appear reliable and safe.
Further complicating the picture, the malicious actor incorporated a dependency on the legitimate module hosted on GitHub at github.com/bitfield/script. This addition allows for simplified HTTP calls and shell script execution, thereby keeping the surrounding codebase looking routine and unremarkable. Such tactics enhance the module’s ability to infiltrate systems unnoticed.
The Threat Research Team at Socket has identified the fake module known as github.com/xinfeisoft/crypto, which is designed to replicate the legitimate directory structure and sub-packages of the golang.org/x/crypto repository.
The Mechanics of the Attack
The operations commence when the compromised application calls a manipulated version of the ReadPassword function. Under the guise of normal functionality, it captures user input through term.ReadPassword, but instead of merely reading the password, it maliciously writes the captured plaintext password to an unusual directory—/usr/share/nano/.lock. This directory serves as a deceptive stash for stolen credentials, showcasing the threat actor’s ingenuity in their malicious intent.
Critical to this module’s effectiveness is its modification in ssh/terminal/terminal.go, where the ReadPassword helper is backdoored. This specific function is widely employed in command-line tools, making it an attractive point for harvesting high-value secrets, such as SSH keys, database passwords, and API tokens.
Following this initial exploitation, the compromised software fetches a GitHub Raw URL, specifically a so-called “update” page linked to vue-element-admin/public/update.html. This page provides a dynamically supplied staging URL, where the stolen password is exfiltrated through an HTTP POST request. The next phase involves pulling and executing additional shell content provided by the attacker via the command line.
Because the backdoor triggers only during real interactive password entries, it remains undetected during many automated testing runs and low-coverage scans, a fact that enhances its threat profile.
Utilizing GitHub Raw as an indirect resource allows the threat actor to modify downstream infrastructure without needing to republish the entire Go module. This flexibility allows them to maintain a persistent backdoor while reducing exposure levels.
Comprehensively, the shell script retrieved from the attackers acts as a Linux stager, preparing the compromised host and delivering additional malicious payloads. Among the actions taken, it adds an attacker-controlled SSH key to /home/ubuntu/.ssh/authorized_keys, modifies iptables default policies to ACCEPT, and downloads two binaries disguised with .mp5 extensions (namely sss.mp5 and 555.mp5).
Once executed, these payloads proceed to erase any temporary files to minimize forensic artifacts and inhibit recovery efforts.
Analysis of the extracted binaries shows that sss.mp5 behaves as a connectivity check, communicating over TCP protocol but deviating from standard TLS ClientHello traffic. Meanwhile, 555.mp5 has been confirmed as a Rekoobe Linux backdoor, representing a known threat linked to various espionage activities.
Infrastructure and Ongoing Campaigns
The actor behind this sophisticated campaign has set up an account on GitHub under the name xinfeisoft, hosting four repositories that contribute to the malicious infrastructure. The compromising crypto module and the vue-element-admin repository used for the staging are both crucial components of this nefarious operation. Notably, the commit history indicates that the threat actor has actively maintained the direct link to their staging URL, suggesting a sustained campaign rather than a one-off attempt.
As of early 2026, the public Go module proxy has started blocking access to the malicious module github.com/xinfeisoft/crypto, returning a 403 SECURITY ERROR instead of serving it. This action reduces the risk to new users, but it doesn’t mitigate the dangers posed to those who may have previously downloaded or cached the module.
Furthermore, Socket’s AI Scanner now flags the malicious package due to its backdoored behavior associated with the ReadPassword function and network-scripting actions.
The incident highlights the ease with which a high-trust library can be weaponized. By copying a critical module, exploiting a key credential function, and disguising inherently malicious acts, attackers can infiltrate systems with minimal effort.
Defensive Measures
In light of such complexities, defenders must view Go module roots as critical supply chain boundaries. Close scrutiny of go.mod and go.sum files for any unrecognized changes is vital, as is the careful evaluation of new utility dependencies introducing outbound HTTP calls or shell execution capabilities.
Detection strategies should prioritize behavioral analysis, including writes to /usr/share/nano/.lock, unexpected GitHub Raw fetches followed by dynamic POST traffic, and unauthorized alterations to authorized_keys or iptables settings. These measures can substantially mitigate the risk posed by this and similar threats in the future.
Indicators of Compromise (IOCs)
- Malicious Go Module:
github.com/xinfeisoft/crypto - Threat Actor GitHub Account:
github.com/xinfeisoft - Staging Configuration:
https://raw.githubusercontent.com/xinfeisoft/vue-element-admin/refs/heads/main/public/update.html - Payload Delivery Endpoints:
https://img.spoolsv.cc/seed.phphttp://img.spoolsv.cc/snn50.txthttps://img.spoolsv.cc/sss.mp5https://img.spoolsv.cc/555.mp5
- Network Indicators:
154.84.63.184
This situation serves as a potent reminder of the vulnerabilities that can arise within open-source ecosystems, underscoring the importance of vigilance and proactive security measures among developers and organizations.