Go Supply Chain Attack: Fake Crypto Module Smuggles Password Stealer and Rekoobe Backdoor Into Developer Workstations

It started like any other package update - a new Go cryptography module, indistinguishable at first glance from the real deal, quietly inserted into a developer’s toolchain. But behind the familiar folder names and routine code, attackers had crafted a sophisticated trap: a backdoored clone designed to steal passwords and open a hidden door for further compromise. As the dust settles, the incident reveals a chilling reality for the open-source supply chain: trust can be weaponized with frightening ease.

Fast Facts

• Attackers published a malicious Go crypto module mimicking the trusted golang.org/x/crypto library.
• The rogue package harvested user passwords and deployed the Rekoobe Linux backdoor on infected systems.
• Payloads were staged via GitHub Raw and delivered through disguised shell scripts and binaries.
• Malware lurked behind legitimate-seeming password prompts, evading most automated scans.
• Go module proxies now block the malicious package, but cached or vendored code remains a risk.

The campaign, uncovered by Socket’s Threat Research Team, leveraged a near-perfect copy of Go’s official cryptography library - right down to the subpackage structure. Lurking in the github.com/xinfeisoft/crypto repository, the impostor module blended into the dependency trees of unsuspecting projects. Its key innovation: a booby-trapped ReadPassword function. When invoked, it operated as normal, but secretly siphoned off plaintext secrets to an obscure file, /usr/share/nano/.lock, before exfiltrating them to an attacker-controlled endpoint.

The attack didn’t end at credential theft. The module fetched a “staging” URL from a file hosted on GitHub Raw, allowing the attacker to rotate infrastructure on the fly. A fetched shell script then set about compromising the host: appending an attacker’s SSH key to authorized_keys, dropping firewall protections, and downloading two further payloads disguised as harmless media files. The final act was the deployment of “555.mp5,” a Rekoobe backdoor, granting persistent remote access and communication over custom channels.

Unlike noisy malware, this operation was engineered for stealth. The backdoor only triggered during real, interactive password entry - slipping past automated tests and leaving minimal forensic traces by deleting its own footprints. The attacker’s infrastructure, including multiple domains and a GitHub account with supporting repositories, enabled agile updates and a sustained campaign.

While Go’s module proxy network now blocks the malicious package, any environment that previously cached or vendored it remains vulnerable. The incident is a stark warning: even the most trusted open-source boundaries can be subverted with a single, subtle hook. Vigilance around new dependencies, especially those that introduce shell execution or outbound network calls, is no longer optional - it’s survival.

Conclusion

This supply chain breach shows just how fragile the line between trust and compromise has become in the world of open-source software. As attackers grow bolder and their tactics more cunning, developers and defenders alike must scrutinize every new module - because today’s routine update could be tomorrow’s silent breach.

WIKICROOK

• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Rekoobe: Rekoobe is a stealthy Linux backdoor, based on Tiny SHell, enabling attackers to maintain persistent, covert remote access to compromised systems.
• Go Module: A Go module is a versioned set of Go packages, used for managing dependencies and ensuring reliable builds in the Go programming language.
• Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.