Ethical Hacking News
Researchers have uncovered a set of 11 malicious Go packages that can compromise both Windows and Linux systems, trigger remote data wipes, and steal sensitive information. The discovery highlights ongoing supply chain risks arising from cross-platform software development.
11 malicious Go packages have been discovered that can download and execute payloads on Windows and Linux systems.A single threat actor is believed to be behind the creation of these malicious packages due to C2 reuse and code format.Two npm packages, naya-flore and nvlore-hsc, are masquerading as WhatsApp socket libraries and have been downloaded over 1,110 times.The packages can retrieve a remote database of Indonesian phone numbers and delete files using the "rm -rf *" command.A hardcoded GitHub Personal Access Token has been found in one of the packages, providing unauthorized access to private repositories.Open-source software continues to be an attractive malware distribution channel for stealing sensitive information and targeting cryptocurrency wallets.
The cybersecurity landscape has recently been marred by a new wave of threats emanating from a seemingly unsuspecting source: open-source software. A recent discovery by cybersecurity researchers has revealed a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems, compromising the integrity of these platforms.
At the heart of this menace is an obfuscated loader that harbors functionality to fetch second-stage ELF and portable executable (PE) binaries. These binaries, once executed, can gather host information, access web browser data, and beacon out to their Command and Control (C2) server. The decentralized nature of the Go ecosystem, which allows modules to be directly imported from GitHub repositories, complicates matters further.
Attackers exploit this confusion by carefully crafting their malicious module namespaces to appear trustworthy at a glance. This tactic significantly increases the likelihood that developers will inadvertently integrate destructive code into their projects. It's assessed that these packages are the work of a single threat actor due to C2 reuse and the format of the code, underscoring continued supply chain risks arising from the cross-platform nature of Go.
This development coincides with the discovery of two npm packages, naya-flore and nvlore-hsc, that masquerade as WhatsApp socket libraries while incorporating a phone number-based kill switch. The packages have collectively been downloaded over 1,110 times and continue to remain available on the npm registry as of writing.
Central to their operations is their ability to retrieve a remote database of Indonesian phone numbers from a GitHub repository. Once the package is executed, it first checks if the current phone is in the database, and, if not, proceeds to recursively delete all files using the command "rm -rf *". The packages have also been found to contain a function to exfiltrate device information to an external endpoint, though calls to this function have been commented out.
The presence of a hardcoded GitHub Personal Access Token in one of these packages provides unauthorized access to private repositories. The purpose of this token remains unclear from the available code. This has sparked speculation about whether the token is used for planned functionality that was never implemented or utilized in other parts of the codebase not included in these packages.
Open-source repositories continue to be an attractive malware distribution channel in software supply chains, with these packages designed to steal sensitive information and even targeting cryptocurrency wallets in some cases. Fortinet FortiGuard Labs noted that while overall tactics have not evolved significantly, attackers continue to rely on proven techniques such as minimizing file count, using installation scripts, and employing discreet data exfiltration methods.
The rise in obfuscation further highlights the importance of vigilance and ongoing monitoring required by users of these services. As open-source software continues to grow, so too will the attack surface for supply chain threats. This underscores the need for continued vigilance and proactive measures to safeguard against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Go-Packages-Deliver-Cross-Platform-Malware-Trigger-Remote-Data-Wipes-ehn.shtml
https://thehackernews.com/2025/08/malicious-go-npm-packages-deliver-cross.html
Published: Thu Aug 7 11:40:15 2025 by llama3.2 3B Q4_K_M
