cybersecurity researchers have uncovered a malicious software library in the Go programming language ecosystem designed to steal sensitive information and create a persistent backdoor on infected systems. The module, which impersonates a legitimate and widely used cryptographic package, was discovered actively harvesting passwords and deploying a Linux backdoor known as Rekoobe.
Deceptive Package Targets Developers
The malicious code was distributed under the name “github[.]com/xinfeisoft/crypto,” a clear imitation of the official and trusted “golang.org/x/crypto” library. This technique, known as typosquatting or dependency confusion, relies on developers accidentally using a similarly named, malicious package. Once incorporated into a software project, the module executes its harmful payload.
Researchers found that the module’s primary function is to intercept secrets entered via the terminal. This includes passwords, authentication tokens, and other confidential data typed by users or administrators. The stolen information is then transmitted to servers controlled by the attackers.
Establishing Persistent Access
Beyond credential theft, the module is engineered to ensure long-term access to compromised systems. It achieves this by creating a Secure Shell (SSH) backdoor. SSH is a standard protocol for securely accessing networked machines, and by installing unauthorized SSH keys, the attackers can return to the system at any time without needing a password.
The final stage of the attack involves deploying a sophisticated Linux backdoor identified as Rekoobe. This malware provides remote control over the infected computer, allowing attackers to execute commands, upload further tools, and move laterally across a network. The combination of credential harvesting, persistent SSH access, and a full backdoor makes this a multi-stage, highly effective threat.
Impact on the software supply chain
This incident highlights a growing security concern: the software supply chain. Modern software development heavily relies on external code libraries and modules, often sourced from public repositories. An attack that poisons one of these shared components can have a cascading effect, potentially compromising all applications that depend on it.
The Go module ecosystem, like those for Python (PyPI) and JavaScript (npm), has been targeted by similar campaigns in the past. Attackers exploit the automated trust and convenience of these repositories to infiltrate development pipelines and, ultimately, end-user applications and infrastructure.
Mitigation and Best Practices
Security experts recommend that developers and organizations adopt stringent measures to guard against such threats. These include meticulously verifying package names and sources before inclusion in a project, using private, vetted repositories where possible, and implementing software composition analysis tools to scan for known vulnerabilities and malicious code.
Organizations are advised to audit their projects for any reference to the malicious “xinfeisoft/crypto” package and remove it immediately. Monitoring network traffic for unexpected connections to unknown external servers can also help detect ongoing exfiltration of data.
The discovery of this malicious module underscores the critical need for vigilance in open-source software consumption. As the investigation continues, security firms and repository maintainers are expected to enhance detection systems to identify and remove impersonating packages more rapidly. Further analysis of the Rekoobe backdoor’s capabilities and command infrastructure is likely to provide additional insights for defensive measures.
Source: Based on cybersecurity research disclosures.
