An impersonated golang.org/x/crypto clone exfiltrates passwords, executes a remote shell stager, and delivers a Rekoobe backdoor on Linux.

Socket

Socket's Threat Research Team discovered a malicious Go module, github.com/xinfeisoft/crypto, impersonating the legitimate golang.org/x/crypto package. The backdoor was inserted into ssh/terminal/terminal.go's ReadPassword function, which captures passwords, exfiltrates them to attacker-controlled infrastructure, and executes a remote shell stager. The stager adds an SSH key for persistence, weakens iptables firewall rules, and downloads two disguised payloads — one of which is confirmed as the Rekoobe Linux backdoor linked to APT31. The module used GitHub Raw as a rotating C2 pointer to avoid republishing. The Go module proxy now blocks the package with a 403 SECURITY ERROR after Socket's report. Defenders are advised to treat go.mod changes as security-sensitive, use dependency scanning in CI, and watch for curl|sh execution, authorized_keys modifications, and iptables policy changes.

Malicious Go “crypto” Module Steals Passwords and Deploys Re...

Linux Stager and Backdoor Delivery Chain #