Malicious Go 'crypto' Module Steals Passwords and Deploys Rekoobe Backdoor
Essential information
- Published
- 27/02/2026 05:11
- Modified
- 27/02/2026 09:30
- Tags
- 2026-02-27 backdoor cryptography-impersonation github abuse golang linux malware password theft rekoobe supply chain attack
- Related entities
- 10 observables, 1 intrusion sets (apt), 1 malware, 4 others
Description
A malicious Go module impersonating the legitimate golang.org/x/crypto has been discovered, containing a backdoor in ssh/terminal/terminal.go. This module captures passwords, exfiltrates them, and executes remote commands. The attack chain includes a Linux stager that installs an SSH key for persistence, weakens firewall settings, and deploys a Rekoobe backdoor. The campaign targets high-trust cryptography libraries and likely aims at cloud environments. The threat actor uses GitHub for staging and disguises payloads as media files. This sophisticated supply chain attack highlights the need for careful scrutiny of Go module changes and implementation of robust security measures in development workflows.