Malicious Go and npm packages are spreading cross-platform malware that can initiate remote data erasure.

Cybersecurity researchers have identified a set of 11 malicious Go packages designed to download and execute additional payloads on both Windows and Linux systems. At runtime, the code silently spawns a shell, pulling a second-stage payload from a range of interchangeable .icu and .tech command-and-control (C2) endpoints, executing it in memory. The identified packages include github.com/stripedconsu/linker, github.com/agitatedleopa/stm, and others. These packages conceal an obfuscated loader that can fetch second-stage ELF and Portable Executable (PE) binaries, which are capable of gathering host information, accessing web browser data, and beaconing to their C2 server. The second-stage payloads deliver bash-scripted payloads for Linux systems and retrieve Windows executables via certutil.exe, making both Linux build servers and Windows workstations vulnerable to compromise.

The decentralised nature of the Go ecosystem complicates matters, as it allows modules to be directly imported from GitHub repositories. This can lead to significant confusion for developers, as searches on pkg.go.dev may return several similarly named modules that are not necessarily malicious. Attackers exploit this confusion by carefully crafting their malicious module namespaces to appear trustworthy, increasing the likelihood that developers inadvertently integrate destructive code into their projects. It is assessed that these packages are the work of a single threat actor due to the reuse of C2 infrastructure and the format of the code. These findings highlight the ongoing supply chain risks associated with the cross-platform nature of Go in distributing malware. Additionally, two npm packages, naya-flore and nvlore-hsc, masquerade as WhatsApp socket libraries and incorporate a phone number-based kill switch that can remotely wipe developers’ systems.