Malicious Go Module Hijacks Linux Passwords

Cybersecurity researchers disclosed on February 27, 2026, that a malicious Go module is harvesting terminal passwords and deploying the persistent Rekoobe Linux backdoor. The module, hosted under a deceptive name, infiltrates victim applications by impersonating legitimate code.

Specifically, the fake “github[.]com/xinfeisoft/crypto” module injects malicious code into the “ssh/terminal/terminal.go” file. Consequently, when an application uses the ReadPassword() function, secrets are captured and sent to a remote server.

The campaign then downloads a staging script to create persistent SSH access and loosen firewall rules. Meanwhile, additional payloads disguised with a .mp5 extension are retrieved from an external server.

One payload is a connectivity-testing helper program. However, the second is identified as Rekoobe, a known Linux trojan active since at least 2015.

This backdoor is capable of receiving commands to download payloads, steal files, and execute a reverse shell. As recently as August 2023, Rekoobe has been used by Chinese nation-state groups like APT31.

Socket security researcher Kirill Boychenko said, “This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository.” The Go security team has now taken steps to block the malicious package listed on pkg.go.dev.

Boychenko warned similar supply chain attacks are likely to repeat because the pattern is low-effort and high-impact. Defenders should anticipate more attacks targeting credential libraries.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Block Stock Jumps 18% on Layoffs, AI Shift
• South Korea’s Tax Service Leaks Secret Crypto Keys in Blunder
• Altman backs AI safeguards, eyes Pentagon deal despite rift
• Hedera Relay Aligns Defaults with Ethereum
• Barclays eyes blockchain for payments, deposits