Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Github[.]com/xinfeisoft/crypto supply-chain malware activity delivering Rekoobe

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The malicious Go module github[.]com/xinfeisoft/crypto has been identified as a supply-chain malware package that steals terminal passwords and delivers Rekoobe on Linux systems. It hides code in ssh/terminal/terminal.go so ReadPassword() captures interactive secrets, then fetches a shell script that adds an attacker SSH key and weakens firewall rules. The package also stages additional payloads, including one that contacts 154.84.63[.]184:443. The activity matters because it turns a routine dependency lookup into credential theft and persistent remote access.

Related Happenings

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

PyTorch Lightning hit by network compromise

Incident
First: 04.05.2026 20:15 Last: 04.05.2026 20:15 Sources 1

About this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...

Open Happening

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

Plain-crypto-js remote-access Trojan delivery

Malware Activity
First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...

Latest development: 04.04.2026 23:30

Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

Open Happening

Timeline

  1. 27.02.2026 17:33 2 articles · 2mo ago

    Malicious Go module github[.]com/xinfeisoft/crypto disclosed

    Initial Disclosure

    Security researchers disclosed a malicious Go module, github[.]com/xinfeisoft/crypto, that impersonates golang.org/x/crypto, steals passwords entered through ReadPassword(), fetches and executes a shell script, and delivers a Linux backdoor named Rekoobe; the Go security team has also taken steps to block the package as malicious.

    Show sources
    Open in new tab