A sophisticated supply chain attack has been uncovered targeting Go developers through a malicious module that impersonates the legitimate golang.org/x/crypto library. The attack demonstrates how threat actors are increasingly exploiting namespace confusion to compromise developer environments and deploy persistent backdoors.
The Attack Mechanism
Security researchers at Socket discovered the malicious module github[.]com/xinfeisoft/crypto, which masquerades as the legitimate Go crypto library. The attack is particularly insidious because it hooks into the ReadPassword() function within the ssh/terminal/terminal.go file.
“This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository,” explained Socket security researcher Kirill Boychenko. “The legitimate project identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs.”
Attack Chain
When a victim application calls ReadPassword(), the malicious code:
- Captures passwords entered at terminal prompts
- Writes credentials to
/usr/share/nano/.lockfor persistence - Exfiltrates secrets via HTTP POST to attacker-controlled servers
- Downloads and executes shell scripts through a GitHub Raw staging mechanism
The Rekoobe Backdoor
The attack chain ultimately deploys Rekoobe, a Linux trojan active since at least 2015 and linked to Chinese nation-state group APT31. The malware:
- Adds attacker SSH keys to
/home/ubuntu/.ssh/authorized_keys - Loosens firewall restrictions by setting iptables defaults to ACCEPT
- Receives commands from C2 servers for additional payload deployment
- Enables reverse shell access for remote control
Defense Implications
While the Go security team has blocked the malicious package, researchers warn this pattern will likely repeat. “Defenders should anticipate similar supply chain attacks targeting other ‘credential edge’ libraries (SSH helpers, CLI auth prompts, database connectors) and more indirection through hosting surfaces to rotate infrastructure without republishing code,” Boychenko cautioned.
Organizations using Go in their development environments should audit their dependencies and implement verification processes for third-party libraries.
Source: The Hacker News
