Find notable cyber news and cases, enriched with sources, timelines, and signals.

Github[.]com/xinfeisoft/crypto supply-chain malware activity delivering Rekoobe

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The malicious Go module github[.]com/xinfeisoft/crypto has been identified as a supply-chain malware package that steals terminal passwords and delivers Rekoobe on Linux systems. It hides code in ssh/terminal/terminal.go so ReadPassword() captures interactive secrets, then fetches a shell script that adds an attacker SSH key and weakens firewall rules. The package also stages additional payloads, including one that contacts 154.84.63[.]184:443. The activity matters because it turns a routine dependency lookup into credential theft and persistent remote access.

Related Happenings

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Hades Bun-powered JavaScript stealer on PyPI

Malware Activity
H score34 First: 09.06.2026 12:13 Last: 09.06.2026 12:13 Sources 1

About this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
H score22 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
H score22 First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

PyTorch Lightning hit by network compromise

Incident
H score36 First: 04.05.2026 20:15 Last: 04.05.2026 20:15 Sources 1

About this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...

Timeline

  1. 27.02.2026 17:33 2 articles · 4mo ago

    Malicious Go module github[.]com/xinfeisoft/crypto disclosed

    Initial Disclosure

    Security researchers disclosed a malicious Go module, github[.]com/xinfeisoft/crypto, that impersonates golang.org/x/crypto, steals passwords entered through ReadPassword(), fetches and executes a shell script, and delivers a Linux backdoor named Rekoobe; the Go security team has also taken steps to block the package as malicious.

    Show sources