BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Malicious Go Module Hijacks Linux Passwords

Malicious Go Module Impersonates Crypto Library to Steal Secrets and Deploy Rekoobe Backdoor

  • A malicious Go module impersonates a legitimate “golang.org/x/crypto” library to steal secrets.
  • The malware harvests passwords, creates SSH backdoor access, and deploys the Linux backdoor Rekoobe.
  • The Rekoobe backdoor, linked to Chinese nation-state groups like APT31, enables downloading more payloads and executing reverse shells.
  • The Go security team has blocked the malicious package, but researchers warn similar low-effort, high-impact attacks are likely to repeat.

Cybersecurity researchers disclosed on February 27, 2026, that a malicious Go module is harvesting terminal passwords and deploying the persistent Rekoobe Linux backdoor. The module, hosted under a deceptive name, infiltrates victim applications by impersonating legitimate code.

- Advertisement -

Specifically, the fake “github[.]com/xinfeisoft/crypto” module injects malicious code into the “ssh/terminal/terminal.go” file. Consequently, when an application uses the ReadPassword() function, secrets are captured and sent to a remote server.

The campaign then downloads a staging script to create persistent SSH access and loosen firewall rules. Meanwhile, additional payloads disguised with a .mp5 extension are retrieved from an external server.

One payload is a connectivity-testing helper program. However, the second is identified as Rekoobe, a known Linux trojan active since at least 2015.

This backdoor is capable of receiving commands to download payloads, steal files, and execute a reverse shell. As recently as August 2023, Rekoobe has been used by Chinese nation-state groups like APT31.

- Advertisement -

Socket security researcher Kirill Boychenko said, “This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository.” The Go security team has now taken steps to block the malicious package listed on pkg.go.dev.

Boychenko warned similar supply chain attacks are likely to repeat because the pattern is low-effort and high-impact. Defenders should anticipate more attacks targeting credential libraries.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Tesla Launches Three-Row Model Y L in U.S.

Tesla launched a new three-row Model Y L SUV in the U.S. and Puerto...

Solana’s World flagged as phishing by Cloudflare after complaint

A new Solana prediction market called World has been flagged for "suspected phishing" by...

Analysts See Nvidia as a Bargain Despite Stock Pullback

NVIDIA stock closed July 1 at $197.58, well below its 52-week high, despite a...

Tesla Q2 Deliveries Beat Forecasts, China Sales Jump

Tesla reported 480,126 vehicle deliveries for Q2 2026, surpassing Wall Street forecasts of ~406,600...

Bitcoin Rebounds Past $60K Amid Jobs Report Fallout

Bitcoin rebounded to over $60,000 following a sharp decline, as conflicting interpretations of U.S....

Must Read

The Best Bitcoin Casinos of 2025: An Expert’s Data-Driven Guide

Key TakeawaysA Deep Dive into the Top Bitcoin Casinos of 2025Bitcoin Casino Comparison Table1. Stake.com: Best for Variety & Integrated Sports Betting2. BC.Game: Best...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading