Malicious Go Modules and npm Libraries Deploy Rekoobe Backdoor with Remote Wipe Capabilities

Researchers at Socket have identified 11 malicious Go modules and at least two npm libraries that contain a loader capable of downloading "Rekoobe," a second-stage ELF/PE backdoor. Some variants of these malicious packages can execute a remote wipe command (rm -rf *), leading to complete system deletion. The malicious Go modules include github.com/stripedconsu/linker, expertsandba/opt, ordinarymea/TNSR_IDS, and cavernouskina/mcp-go, while the malicious npm libraries are naya-flore and nvlore-hsc. These packages pose a significant threat to system integrity and data security. The use of Go modules and npm libraries in this attack highlights the growing trend of supply chain attacks, where malicious code is distributed through seemingly legitimate software dependencies. The cross-platform nature of the Rekoobe backdoor (ELF/PE) indicates that it can affect both Linux and Windows systems, increasing its potential impact. The ability to execute a remote wipe command underscores the destructive potential of these threats, which can lead to complete data loss. Developers and organizations must be vigilant about the sources of their dependencies and implement robust cybersecurity practices, including regular audits of dependencies, the use of tools to detect malicious code, and maintaining regular backups and incident response plans to mitigate the impact of such attacks. This incident underscores the importance of stringent security practices in package management and dependency tracking to prevent supply chain attacks.