Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor in Developer Environments

The Go ecosystem’s reliance on public module proxies creates a trusted boundary that attackers can exploit with minimal effort. By cloning the widely used golang.org/x/crypto repository structure and inserting a malicious ReadPassword hook, the threat actor leveraged developers’ expectation of safety to infiltrate build pipelines. This technique bypasses traditional code‑review safeguards because the module appears legitimate on pkg.go.dev and resolves automatically through go.mod, making it a potent supply‑chain vector.

Once the compromised function captures a password, it writes the clear‑text secret to an obscure file and immediately posts it to a staging endpoint hosted on GitHub Raw. The subsequent curl‑pipe‑sh payload stages a Linux compromise: it appends an attacker‑controlled SSH key, opens all iptables traffic, and drops two binaries—sss.mp5 and the Rekoobe backdoor (555.mp5). The backdoor communicates over port 443 using a custom protocol, evading standard TLS inspection and providing persistent command‑and‑control for espionage‑style operations.

Defenders must treat Go module roots as immutable supply‑chain boundaries. Continuous monitoring of go.mod and go.sum changes, strict vetting of new dependencies that introduce outbound HTTP or shell execution, and runtime detection of file writes to /usr/share/nano/.lock can mitigate this threat. Additionally, organizations should purge cached copies of malicious modules, enforce proxy filtering, and employ behavior‑based alerts for GitHub Raw fetches followed by dynamic POST destinations. Proactive hygiene around Go dependencies is now essential to prevent credential theft and backdoor deployment in modern development environments.