New 'Go Crypto' Malware Targets DeFi Via Supply Chain Attacks

The "Go Crypto" malware was identified by security research firm Socket, which discovered a malicious module named `github.com/xinfeisoft/crypto`. This module was a deliberate imitation of the widely trusted `golang.org/x/crypto` library, a foundational component for cryptographic functions in the Go programming language. The attack leverages a technique known as namespace confusion, where the package manager is tricked into pulling the malicious version instead of the legitimate one due to its similar naming. The malware's primary function is to steal credentials by embedding a backdoor within the `ssh/terminal/terminal.go` file. Specifically, it alters the `ReadPassword()` function, a standard feature used to securely capture user inputs like passwords and API keys from the terminal. Once a developer's application calls this function, the compromised version captures the credentials, writes them to a local file, and exfiltrates them to an attacker-controlled server. Upon successful credential theft, the malware fetches a shell script from a separate GitHub repository, initiating the attack's second stage. This script establishes persistence by adding the attacker's SSH key to the `authorized_keys` file, which allows continued access even if passwords are changed. It also weakens the system's firewall by setting iptables policies to accept all traffic, further exposing the compromised infrastructure. The final payload delivered is the Rekoobe backdoor, a Linux trojan active since at least 2015. Rekoobe has been previously attributed to the Chinese state-sponsored group APT31 and gives attackers the ability to download more payloads, steal files, and execute a reverse shell for full remote control. This incident is part of a growing trend of supply chain attacks targeting the crypto space. In December 2023, a similar attack on Ledger's Connect Kit, a JavaScript library, resulted in over $600,000 in stolen assets after a former employee's npm account was phished. Another major incident in September 2025 saw popular npm packages like "chalk" and "debug," with billions of weekly downloads, compromised to steal crypto, though the direct financial theft was limited to around $600. A compromised `@solana/web3.js` package in December 2024 also led to the theft of approximately $164,100 by capturing private keys during transaction signing. These events highlight that even with low direct financial impact, the disruption and cleanup costs for engineering teams are substantial. To mitigate these threats, developers are urged to move beyond basic dependency scanning. Best practices include enforcing the use of private package registries, which are controlled internal repositories for dependencies. Utilizing scoped packages or namespaces to clearly distinguish internal from public libraries and implementing version pinning with checksum validation ensures that only specific, verified versions of dependencies are used in the build process. Advanced security postures also involve generating a Software Bill of Materials (SBOM) to maintain a complete inventory of all software components and their dependencies. Integrating Software Composition Analysis (SCA) tools directly into the CI/CD pipeline can automate the detection of vulnerabilities in third-party libraries before they are deployed, providing a critical defense against the injection of malicious code.