Malicious Go Module Backdoors Systems with Rekoobe, Steals Credentials Security researchers at Socket’s Threat Research Team uncovered a supply-chain attack targeting the Go ecosystem, where a malicious module impersonated the widely trusted golang.org/x/crypto library. Hosted on GitHub as github.com/xinfeisoft/crypto, the backdoored module was designed to steal credentials and deploy the Rekoobe Linux backdoor on compromised systems. The attack exploited the ReadPassword method in the legitimate ssh/terminal/terminal.go file, silently intercepting passwords as users entered them. Captured credentials were stored locally before being exfiltrated to a remote server controlled by the threat actor. The module also fetched and executed a script from GitHub, which acted as a Linux stager modifying system configurations to establish persistence, weaken security, and download additional payloads. Among the downloaded files, sss.mp5 and 555.mp5 (disguised as media files) were identified as Rekoobe backdoors. The first payload functioned as a reconnaissance tool, while the second, linked to the APT31 (Zirconium) threat group, established command-and-control (C2) communication over TCP port 443, mimicking legitimate HTTPS traffic. Persistence was further ensured by adding an SSH key to authorized_keys and altering iptables rules to allow unrestricted network traffic. The attack chain highlights the risks of unvetted dependencies, particularly in cryptographic libraries handling sensitive operations. Organizations using Go modules were advised to audit dependencies, monitor CI pipelines for suspicious changes, and enforce security controls like multi-factor authentication (MFA) to mitigate supply-chain threats.