Github[.]com/xinfeisoft/crypto supply-chain malware activity delivering Rekoobe
Malware Activity
Summary
Hide ▲
Show ▼
The malicious Go module github[.]com/xinfeisoft/crypto has been identified as a supply-chain malware package that steals terminal passwords and delivers Rekoobe on Linux systems. It hides code in ssh/terminal/terminal.go so ReadPassword() captures interactive secrets, then fetches a shell script that adds an attacker SSH key and weakens firewall rules. The package also stages additional payloads, including one that contacts 154.84.63[.]184:443. The activity matters because it turns a routine dependency lookup into credential theft and persistent remote access.
Related Happenings
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
H score22
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
PyTorch Lightning hit by network compromise
Incident
H score36
First: 04.05.2026 20:15
Last: 04.05.2026 20:15
Sources 1
About this happening:
A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
PyTorch Lightning hit by network compromise
IncidentAbout this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
Timeline
-
27.02.2026 17:33 2 articles · 4mo ago
Malicious Go module github[.]com/xinfeisoft/crypto disclosed
Initial DisclosureSecurity researchers disclosed a malicious Go module, github[.]com/xinfeisoft/crypto, that impersonates golang.org/x/crypto, steals passwords entered through ReadPassword(), fetches and executes a shell script, and delivers a Linux backdoor named Rekoobe; the Go security team has also taken steps to block the package as malicious.
Show sources
- Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33
- Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33