Cybersecurity researchers have uncovered a new threat to the software supply chain: 11 malicious Go packages. These packages are designed to download and execute additional, more sophisticated payloads on compromised systems. The malicious packages, identified by security researchers, are cleverly named to mimic legitimate libraries, exploiting the decentralized nature of the Go ecosystem where developers often import modules directly from GitHub. This can cause confusion, as a search for a package might yield multiple similarly named modules, some of which may be malicious. The threat actor behind these packages appears to be a single entity, given the reuse of command-and-control (C2) servers and the consistent code format.
How the Malware Operates
The malicious Go packages contain a concealed, obfuscated loader. When a developer incorporates one of these packages into their project, the loader silently spawns a shell at runtime. This shell then connects to a remote C2 server, fetching a second-stage payload. The C2 servers use interchangeable .icu and .tech domains. This second-stage payload is executed in memory and can collect a variety of sensitive data. It’s capable of gathering host information, accessing web browser data, and communicating with the C2 server. A key feature of this attack is its cross-platform nature, as it uses different methods to compromise systems. For Linux, it delivers a bash-scripted payload, while for Windows, it retrieves and executes binaries via certutil.exe.
Vulnerabilities in the Go Ecosystem
The Go ecosystem’s structure, which allows direct imports from GitHub repositories, creates a significant vulnerability. Attackers exploit this by crafting package names that look legitimate at a glance, increasing the chance that a developer will mistakenly integrate destructive code into their projects. The identified packages, such as github.com/stripedconsu/linker and github.com/briefinitia/gouid, are examples of this tactic. This approach highlights a major challenge in securing open-source software supply chains. The decentralized nature, combined with a lack of robust verification, provides an ideal environment for threat actors to distribute malware. This incident underscores the continued risk of supply chain attacks, especially with the growing popularity and cross-platform capabilities of languages like Go.
npm Packages and Remote Wipes
This discovery coincides with another significant finding involving two npm packages, naya-flore and nvlore-hsc. These packages were designed to masquerade as WhatsApp socket libraries but had a malicious purpose. Central to their operation was a remote data wipe capability triggered by a phone number-based kill switch. The packages would retrieve a database of Indonesian phone numbers from a GitHub repository. If the user’s phone number wasn’t in the database, the code would proceed to recursively delete all files using the command rm -rf *. Both packages were published by a user named “nayflore” and were collectively downloaded over 1,110 times before being removed from the npm registry.
These incidents, both the Go packages and the npm packages, are part of a larger trend of malicious actors exploiting open-source repositories. Attackers continue to rely on proven techniques like minimizing file count, using installation scripts, and employing discreet data exfiltration methods. They also increasingly use obfuscation to evade detection. The presence of a hardcoded GitHub Personal Access Token in the naya-flore package, which could provide unauthorized access to private repositories, further illustrates the sophistication of these attacks. The constant evolution of these threats underscores the need for vigilance and ongoing monitoring by developers and organizations. As open-source software continues to grow, so too will the attack surface for supply chain threats, making security a critical concern for everyone involved in software development.
Reference:
