Fake Go DNS scanner spread malware through over 200 GitHub repos — ‘Operation Muck and Load’ has published 700 malicious modules since January

Supply-chain security firm Socket has published research findings describing a Go module that posed as a DNS and subdomain scanner while acting as a first-stage Windows malware loader. The firm then traced it to a network of 222 GitHub repositories across 190 accounts. The module published its first version on January 24 this year and has since accumulated more than 1,200 versions, over 700 of them malicious. Socket tracks the campaign as “Operation Muck and Load” and reported the module to the Go security team, which blocked it from the Go module proxy.

Go deeper with TH Premium: AI and data centers

Microsoft data center in Mount Pleasant, Wisconsin

(Image credit: Microsoft)

Go derives a pseudo-version from the commit timestamp and hash for any commit that lacks a semantic version tag. Socket attributes the sprawl to the threat actor’s own GitHub Actions workflow, saying its timed commits could each be resolved as a version, inflating a scanner utility’s release history into the hundreds.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *