Supply Chain Alert: Malicious Go Packages Found Targeting Windows and Linux
Cybersecurity researchers have uncovered 11 malicious Go packages designed to download additional components from remote servers and execute them on both Windows and Linux systems. According to Socket researcher Olivia Brown, during execution the malicious code stealthily spawns a shell, retrieves a secondary payload from a set of C2 addresses hosted on .icu and .tech domains, and runs it directly in memory.
The identified repositories include:
github.com/stripedconsu/linker
github.com/agitatedleopa/stm
github.com/expertsandba/opt
github.com/wetteepee/hcloud-ip-floater
github.com/weightycine/replica
github.com/ordinarymea/tnsr_ids
github.com/ordinarymea/TNSR_IDS
github.com/cavernouskina/mcp-go
github.com/lastnymph/gouid
github.com/sinfulsky/gouid
github.com/briefinitia/gouid
These modules conceal an obfuscated loader capable of fetching and executing ELF and PE binaries, which then harvest system information, extract browser data, and communicate with command-and-control servers.
The second stage of the attack varies by operating system: on Linux, a bash script is fetched; on Windows, an executable is retrieved via certutil.exe
. This dual-platform strategy makes both Linux build servers and Windows workstations vulnerable.
The risk is compounded by Go’s architecture, which allows direct module imports from GitHub—making it trivial to create repositories whose names mimic legitimate packages, thereby increasing the likelihood of accidental inclusion of malicious code in projects. Analysis of C2 infrastructure and code structure strongly suggests a single author behind these packages.
These malicious modules target both Linux build servers and Windows workstations, enabling attackers to gain remote access and exfiltrate sensitive data. The overlap in techniques and code structure with previous malicious Go package incidents confirms that this campaign is a continuation of known software supply chain attacks.
Experts warn that the combined use of obfuscation, package name impersonation, and in-memory code loading makes such threats particularly dangerous and exceptionally difficult to detect.