By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: Malicious Go, npm Packages Deliver Cross-Platform Malware, Trigger Remote Data Wipes
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > Malicious Go, npm Packages Deliver Cross-Platform Malware, Trigger Remote Data Wipes
Computing

Malicious Go, npm Packages Deliver Cross-Platform Malware, Trigger Remote Data Wipes

News Room
Last updated: 2025/08/07 at 9:36 AM
News Room Published 7 August 2025
Share
SHARE

Aug 07, 2025Ravie LakshmananMalware / Threat Intelligence

Cybersecurity researchers have discovered a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems.

“At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory,” Socket security researcher Olivia Brown said.

The list of identified packages is below –

  • github.com/stripedconsu/linker
  • github.com/agitatedleopa/stm
  • github.com/expertsandba/opt
  • github.com/wetteepee/hcloud-ip-floater
  • github.com/weightycine/replika
  • github.com/ordinarymea/tnsr_ids
  • github.com/ordinarymea/TNSR_IDS
  • github.com/cavernouskina/mcp-go
  • github.com/lastnymph/gouid
  • github.com/sinfulsky/gouid
  • github.com/briefinitia/gouid

The packages conceal an obfuscated loader that harbors functionality to fetch second-stage ELF and portable executable (PE) binaries, which, in turn, can gather host information, access web browser data, and beacon out to its C2 server.

Cybersecurity

“Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise,” Brown said.

Complicating matters is the decentralized nature of the Go ecosystem, which allows modules to be directly imported from GitHub repositories, causing significant developer confusion when searches for a package on pkg.go.dev can return several similarly named modules, although they may not necessarily be malicious in nature.

“Attackers exploit the confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects,” Socket said.

It’s assessed that the packages are the work of a single threat actor due to C2 reuse and the format of the code. The findings underscore the continued supply chain risks arising from the cross-platform nature of Go to push malware.

The development coincides with the discovery of two npm packages, naya-flore and nvlore-hsc, that masquerade as WhatsApp socket libraries while incorporating a phone number-based kill switch that can remotely wipe developers’ systems.

The packages, which have been collectively downloaded over 1,110 downloads, continue to remain available on the npm registry as of writing. Both libraries were published by a user named “nayflore” in early July 2025.

Central to their operations is their ability to retrieve a remote database of Indonesian phone numbers from a GitHub repository. Once the package is executed, it first checks if the current phone is in the database, and, if not, proceeds to recursively delete all files using the command “rm -rf *” following a WhatsApp pairing process.

The packages have also been found to contain a function to exfiltrate device information to an external endpoint, but calls to the function have been commented out, suggesting that the threat actor behind the scheme is signaling ongoing development.

“naya-flore also contains a hardcoded GitHub Personal Access Token that provides unauthorized access to private repositories,” security researcher Kush Pandya said. “The purpose of this token remains unclear from the available code.”

Identity Security Risk Assessment

“The presence of an unused GitHub token could indicate incomplete development, planned functionality that was never implemented, or usage in other parts of the codebase not included in these packages.”

Open-source repositories continue to be an attractive malware distribution channel in software supply chains, with the packages designed to steal sensitive information and even targeting cryptocurrency wallets in some cases.

“While overall tactics have not evolved significantly, attackers continue to rely on proven techniques, such as minimizing file count, using installation scripts, and employing discreet data exfiltration methods that maximize impact,” Fortinet FortiGuard Labs said.

“A continued rise in obfuscation also further notes the importance of vigilance and ongoing monitoring required by users of these services. And as OSS continues to grow, so too will the attack surface for supply chain threats.”

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Disney bringing major TV service to all Brits – but admits another app will shut
Next Article Prateek Canary
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

‘We wish it never existed’: Readers Tell us about their family’s use of youtube
Software
JD.com files trademark for ‘Joyrobotaxi,’ signaling interest in autonomous ride-hailing · TechNode
Computing
Optimizing Custom Workloads with RISC-V
News
What that error message really means
Computing

You Might also Like

Computing

JD.com files trademark for ‘Joyrobotaxi,’ signaling interest in autonomous ride-hailing · TechNode

1 Min Read
Computing

What that error message really means

10 Min Read
Computing

How to Run SeaTunnel in Separated Cluster Mode on K8s | HackerNoon

17 Min Read
Computing

SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day

2 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?