Home / Software

Photo of cryptocurrency, video game, television
Image: Wikipedia
Software

Malicious Go Module Spreads Malware Through 222 GitHub Repositories

WireByte Staff · July 11, 2026

A malicious Go module, part of 'Operation Muck and Load', has been spreading malware through over 200 GitHub repositories since January. The module, posing as a DNS and subdomain scanner, has accumulated over 700 malicious versions and was blocked by the Go security team.

Key points

  • Socket, a supply-chain security firm, discovered a malicious Go module that spread malware through 222 GitHub repositories across 190 accounts.
  • The module, part of 'Operation Muck and Load', published its first version on January 24 and has since accumulated over 700 malicious versions.
  • The Go security team blocked the module from the Go module proxy after Socket reported it.
  • The threat actor used a GitHub Actions workflow to generate timed commits, inflating the scanner utility's release history into the hundreds.
  • Socket counted 222 repositories as the confirmed minimum, where the same workflow was found, setting the Git email to ischhfd83@rambler.ru and force-pushing a rewritten log file every minute.

A malicious Go module, part of the 'Operation Muck and Load' campaign, has been spreading malware through over 200 GitHub repositories since January. The module, posing as a DNS and subdomain scanner, has accumulated over 700 malicious versions and was blocked by the Go security team.

The discovery was made by Socket, a supply-chain security firm, which reported the module to the Go security team. The team subsequently blocked the module from the Go module proxy.

The threat actor used a GitHub Actions workflow to generate timed commits, inflating the scanner utility's release history into the hundreds. This allowed the module to spread malware through 222 GitHub repositories across 190 accounts.

The module's main.go launches a hidden PowerShell payload, which can be used to download and execute malicious files. The threat actor's use of disposable accounts and a reusable fingerprint made it difficult to track the spread of the malware.

The discovery highlights the importance of supply-chain security and the need for developers to be vigilant when using third-party libraries and modules.

Sources

WireByte Staff — Editorial Team

The WireByte editorial team synthesises technology news from multiple primary sources, verifies the facts, and links every source. Articles are produced with AI assistance and reviewed under our editorial policy.