Malicious Go “crypto” Module Steals Passwords and Deploys Rekoobe Backdoor

Socket’s Threat Research Team identified a malicious Go module, github.com/xinfeisoft/crypto, which impersonates the legitimate golang.org/x/crypto codebase while inserting a backdoor in the ssh/terminal/terminal.go file. This module exploits the widespread trust in the legitimate Go cryptography library to capture passwords entered via interactive prompts, storing them locally before communicating with threat actor-controlled servers to execute arbitrary commands. The module is strategically designed to evade detection by mimicking the golang.org/x/crypto structure and employing namespace confusion with GitHub as a mirror, thus blending into dependency graphs. Despite the Go security team's efforts to mitigate exposure by blocking the module in the public Go module proxy, the package remains listed on pkg.go.dev, underscoring the severity of its potential impact on the ecosystem. The backdoor activates during interactive password entries, exfiltrating credentials and executing a Linux stager that installs a persistent SSH key for unauthorized access, weakens firewall settings, and downloads disguised payloads that include a Rekoobe Linux backdoor. The threat actor’s infrastructure uses GitHub-hosted content as a configuration channel, facilitating dynamic staging and indirection while maintaining operational relevance through updates. This incident reflects a broader trend of supply chain attacks targeting high-value libraries and underscores the importance of vigilant module review and security measures to prevent similar exploits.