{"id":287936,"date":"2026-07-10T06:25:00","date_gmt":"2026-07-10T10:25:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/10\/222-github-repositories-linked-to-fake-go-package-malware-operation\/"},"modified":"2026-07-10T08:00:15","modified_gmt":"2026-07-10T12:00:15","slug":"222-github-repositories-linked-to-fake-go-package-malware-operation","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/10\/222-github-repositories-linked-to-fake-go-package-malware-operation\/","title":{"rendered":"222 GitHub Repositories Linked to Fake Go Package Malware Operation"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/195101\/security\/222-github-repositories-linked-to-fake-go-package-malware-operation.html\">222 GitHub Repositories Linked to Fake Go Package Malware Operation<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/195101\/security\/222-github-repositories-linked-to-fake-go-package-malware-operation.html\">https:\/\/securityaffairs.com\/195101\/security\/222-github-repositories-linked-to-fake-go-package-malware-operation.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-10 06:25:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>222 GitHub Repositories Linked to Fake Go Package Malware Operation<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> July 10, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2026\/07\/image-31.png?fit=1082%2C1281&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\"><strong>Researchers uncovered 222 GitHub repositories spreading malware through fake Go packages, delivering loaders, stealers, RATs, and cryptominers.<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Socket\u2019s security research team started with the investigation of a single malicious Go module: github[.]com\/kaleidora\/dnsub-scanning-tool, which presented itself as a DNS and subdomain scanning utility. Pulling on that thread exposed something significantly larger: a network of 222 confirmed GitHub repositories across 190 accounts, all built to make malicious or deceptive software projects look active, recently maintained, and worth running. <\/p>\n<p class=\"wp-block-paragraph\">Socket tracks the operation as Muck and Load, named after the Muck-themed infrastructure it runs on and the staged loading chain it uses to deliver malware.<\/p>\n<p class=\"wp-block-paragraph\">The confirmed payload set found across these repositories includes trojan loaders, Vidar infostealer, dropper and spyware payloads, and Monero cryptominers tied to XMRig. This wasn\u2019t a collection of empty lure pages. Some repositories directly distributed malware.<\/p>\n<p class=\"wp-block-paragraph\">The dnsub-scanning-tool module impersonated a legitimate open-source subdomain enumeration project. Its README described real scanner functionality. Its code did something else. Before any scanner logic could run, the module\u2019s main() function launched a hidden PowerShell command that downloaded content from muckcoding[.]com, saved it as api.db, decoded it using certutil, wrote the result as L.ps1, and executed it with execution-policy bypass and a hidden window. As Socket\u2019s report describes it: <\/p>\n<p class=\"wp-block-paragraph\">\u201cThe loader\u2019s execution mode further reinforces malicious intent. It launches PowerShell with a hidden window and then invokes the decoded script with:\u00a0-ExecutionPolicy Bypass.\u201d reads the report published by cybersecurity firm Socket.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThat flag does not exploit PowerShell by&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/195101\/security\/222-github-repositories-linked-to-fake-go-package-malware-operation.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>222 GitHub Repositories Linked to Fake Go Package Malware Operation https:\/\/securityaffairs.com\/195101\/security\/222-github-repositories-linked-to-fake-go-package-malware-operation.html Publish Date: 2026-07-10 06:25:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":287937,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/07\/image-31.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,36,32],"class_list":["post-287936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-infostealer","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287936"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=287936"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287936\/revisions"}],"predecessor-version":[{"id":287938,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287936\/revisions\/287938"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/287937"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=287936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=287936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=287936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}