New Malicious Go and npm Packages Deliver Cross-Platform Malware and Enable Remote Data Wipes

Cybersecurity analysts have identified a new wave of supply chain threats involving malicious Go and npm packages designed to compromise both Linux and Windows systems.

Go Packages with In-Memory Malware Delivery

A total of 11 malicious Go modules have been discovered, each capable of pulling a second-stage payload from remote command-and-control (C2) servers hosted under .icu and .tech domains. These payloads are executed directly in memory, allowing attackers to bypass file-based detection mechanisms.

“At runtime, the code silently spawns a shell, fetches a second-stage payload, and runs it in memory,” explained Olivia Brown, security researcher at Socket.

The malicious Go repositories include:

  • github.com/stripedconsu/linker
  • github.com/agitatedleopa/stm
  • github.com/expertsandba/opt
  • github.com/wetteepee/hcloud-ip-floater
  • github.com/weightycine/replika
  • github.com/ordinarymea/tnsr_ids
  • github.com/ordinarymea/TNSR_IDS
  • github.com/cavernouskina/mcp-go
  • github.com/lastnymph/gouid
  • github.com/sinfulsky/gouid
  • github.com/briefinitia/gouid

These modules hide obfuscated loaders designed to retrieve ELF and PE binaries that can steal host metadata, access browser data, and send beacons to the C2 infrastructure.

Because the malware leverages bash scripts for Linux and uses certutil.exe to fetch executables on Windows, it poses a serious threat to both Linux-based build environments and Windows developer workstations.

Exploiting the Go Module Ecosystem

The decentralized nature of the Go ecosystem allows importing packages directly from GitHub. Attackers take advantage of this by naming malicious modules to closely resemble legitimate ones, exploiting the ambiguity of package searches on pkg.go.dev.

Socket notes:

“This namespace manipulation tricks developers into unknowingly integrating malicious code into their software, increasing the risk of a widespread compromise.”

The consistency in C2 infrastructure and coding style suggests these packages are the work of a single threat actor.

npm Packages with Data-Wiping Functionality

In parallel, researchers discovered two npm packages, naya-flore and nvlore-hsc, disguised as WhatsApp socket libraries. Once executed, these packages connect to a GitHub-hosted list of Indonesian phone numbers.

If the user’s phone number is not on the list, the malware triggers a recursive delete command:

rm -rf *

This effectively wipes the entire system, following a mock WhatsApp pairing process.

These packages were uploaded by the user “nayflore” in July 2025 and have been downloaded over 1,100 times, remaining available on the npm registry at the time of reporting.

Additional analysis revealed:

  • A hardcoded GitHub Personal Access Token, granting unauthorized access to private repositories.
  • A dormant function for device data exfiltration, hinting at ongoing development.

“The presence of the GitHub token could indicate incomplete features or functionality reserved for future use,” said security researcher Kush Pandya.

Software Supply Chains Under Ongoing Attack

This campaign highlights the growing abuse of open-source platforms like npm and Go in distributing malware. Attackers continue using well-known tactics such as:

  • Minimizing file footprints
  • Embedding install-time scripts
  • Evading detection through obfuscation and stealthy exfiltration

Fortinet FortiGuard Labs warns:

“As open-source software adoption grows, so does the potential attack surface for supply chain threats. Continuous vigilance and monitoring are critical.”

Source: https://thehackernews.com/2025/08/malicious-go-npm-packages-deliver-cross.html