Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor in Developer Environments
A newly discovered supply chain attack is putting Go developers at serious risk. A threat actor published a malicious Go module that closely mimics one of the most trusted cryptographic libraries in the ecosystem — golang.org/x/crypto — and used it to steal passwords and silently deploy a Linux backdoor onto compromised systems.
The campaign is a clear reminder that even well-established dependency names are now being weaponized against developers who may never suspect a trusted-looking import is working against them.
The malicious module, github[.]com/xinfeisoft/crypto, was listed publicly on pkg.go.dev at version v0.15.0 with a February 20, 2025 publication date.
It copied the full structure of the legitimate golang.org/x/crypto repository — including familiar subpackages like bcrypt, argon2, acme, and ssh — allowing it to blend into dependency graphs without raising immediate suspicion.
The attacker exploited how Go’s ecosystem uses GitHub as a mirror for the canonical go.googlesource.com/crypto repository, making this similarly named module appear routine during code review.
Socket.dev researchers identified the malicious module after their AI Scanner flagged a backdoor embedded inside ssh/terminal/terminal.go.
The modification targeted the ReadPassword helper function — used by tools handling SSH passphrases, database logins, and interactively entered API keys.
The backdoor activates only during live interactive use, keeping it silent during automated test runs and significantly cutting the chance of accidental discovery.
Once a developer’s application calls ReadPassword, the compromised function captures the credential in plaintext and writes it to /usr/share/nano/.lock, a path chosen to avoid detection.
It then fetches a staging pointer from the threat actor’s GitHub-hosted repository, posts the stolen password to a dynamically resolved endpoint, retrieves a shell script, and executes it via /bin/sh.
This design lets the attacker rotate infrastructure URLs without republishing the module. The Go security team has since blocked the module at the public proxy, returning a 403 SECURITY ERROR response.
The broader impact is significant for teams working in Go-based Linux environments, particularly those running cloud VMs, CI/CD runners, or admin bastion hosts.
Any application importing this module and invoking ReadPassword becomes a live credential harvesting point — exposing SSH passphrases, database passwords, and API keys before any hashing or encryption can protect them.
The Multi-Stage Backdoor Delivery Chain
Execution chain from the backdoored ReadPassword hook through GitHub Raw pointer (update.html), staging server (img[.]spoolsv[.]cc), and final Rekoobe backdoor delivery.
.webp)
After the initial script executes, a five-stage Linux dropper chain begins. The backdoored ReadPassword function fetches update.html from the attacker’s GitHub repository, which redirects to seed.php at img[.]spoolsv[.]cc.
That endpoint returns a curl | sh launcher that fetches and executes snn50.txt — the primary Linux stager that prepares the host and delivers the final payloads.
The snn50.txt stager performs three critical actions. It appends a threat actor-controlled SSH key to /home/ubuntu/.ssh/authorized_keys, creating persistent remote access that survives password resets.
It sets iptables default policies to ACCEPT, weakening the host firewall. Finally, it downloads sss.mp5 and 555.mp5 from img[.]spoolsv[.]cc — disguised with media-like extensions to bypass basic file inspection — executes them, and deletes them from disk to reduce forensic evidence.
.webp)
Socket.dev researchers confirmed 555.mp5 as a Rekoobe Linux backdoor, a tool with documented ties to APT31 (Zirconium) and partial lineage from the Tiny SHell codebase.
The binary communicated with 154[.]84[.]63[.]184 over TCP port 443 without a standard TLS handshake, suggesting custom encrypted traffic designed to pass as HTTPS.
The sss.mp5 sample functioned separately as a loader and reconnaissance component during the same stage.
Defenders should audit go.mod and go.sum files for unexpected module root changes and treat any new dependency addition as a security review item.
Endpoints should be monitored for writes to /usr/share/nano/.lock, unauthorized authorized_keys modifications, and iptables policy resets to ACCEPT.
Blocking img[.]spoolsv[.]cc and img[.]spoolsv[.]net, and alerting on processes that chain GitHub Raw fetches with outbound HTTP POST calls, will help detect this pattern early — before backdoor delivery completes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
