222 GitHub Repositories Linked to Fake Go Package Malware Operation
222 GitHub Repositories Linked to Fake Go Package Malware Operation
Publish Date: 2026-07-10 06:25:00
Source Domain: securityaffairs.com
222 GitHub Repositories Linked to Fake Go Package Malware Operation
Pierluigi Paganini
July 10, 2026

Researchers uncovered 222 GitHub repositories spreading malware through fake Go packages, delivering loaders, stealers, RATs, and cryptominers.
Socket’s security research team started with the investigation of a single malicious Go module: github[.]com/kaleidora/dnsub-scanning-tool, which presented itself as a DNS and subdomain scanning utility. Pulling on that thread exposed something significantly larger: a network of 222 confirmed GitHub repositories across 190 accounts, all built to make malicious or deceptive software projects look active, recently maintained, and worth running.
Socket tracks the operation as Muck and Load, named after the Muck-themed infrastructure it runs on and the staged loading chain it uses to deliver malware.
The confirmed payload set found across these repositories includes trojan loaders, Vidar infostealer, dropper and spyware payloads, and Monero cryptominers tied to XMRig. This wasn’t a collection of empty lure pages. Some repositories directly distributed malware.
The dnsub-scanning-tool module impersonated a legitimate open-source subdomain enumeration project. Its README described real scanner functionality. Its code did something else. Before any scanner logic could run, the module’s main() function launched a hidden PowerShell command that downloaded content from muckcoding[.]com, saved it as api.db, decoded it using certutil, wrote the result as L.ps1, and executed it with execution-policy bypass and a hidden window. As Socket’s report describes it:
“The loader’s execution mode further reinforces malicious intent. It launches PowerShell with a hidden window and then invokes the decoded script with: -ExecutionPolicy Bypass.” reads the report published by cybersecurity firm Socket.
“That flag does not exploit PowerShell by…