A threat actor has constructed a network of 222 GitHub repositories across 190 accounts to distribute Windows malware, exploiting Go's versioning system and public platforms as dead drops. The operation, dubbed "Operation Muck and Load" by Socket researchers, has produced more than 1,200 versions of a Go module since January 24, 2026, of which 700 have been identified as malicious. The mechanism exploits developers' trust in the open-source ecosystem and the difficulty of distinguishing legitimate pseudo-versions from automated commits.
- 222 repositories across 190 GitHub accounts form the distribution network identified as "Operation Muck and Load."
- Over 1,200 Go module versions published since January 24, 2026, with 700 confirmed malicious.
- Payload hides in strings padded with excessive whitespace, triggering a PowerShell infection chain via public dead drops.
- Final payloads include AsyncRAT, Quasar RAT, Remcos-style RAT, Vidar infostealer, and XMRig/BitMiner.
The Disguise: A Go Module Masquerading as a DNS Scanner
The malicious module poses as a DNS and subdomain scanning tool, impersonating the legitimate open-source project dnsub. The impersonation runs deep: the repository maintains seemingly coherent functionality aligned with its stated purpose, enough to pass a cursory review. The critical difference lies in an apparently empty string, concealed by excessive horizontal whitespace, that contains a PowerShell command.
The PowerShell executes before the legitimate scanning logic runs. It bypasses script-execution policy restrictions and retrieves additional scripts from dead drops hosted on public platforms. The whitespace obfuscation exploits an attention gap: automated review tools and developers alike tend to ignore strings that appear empty or formatted for readability.
The "Version Farm": How GitHub Actions Became a Weapon
The operation's defining characteristic is its massive use of automated versioning. According to Socket, as quoted by SecurityWeek, "the likely cause is not normal release engineering, but the threat actor's own GitHub Actions workflow repeatedly generating timestamp commits that could be surfaced as Go pseudo-versions." Go pseudo-versions — based on commit timestamps and abbreviated hashes — are designed for direct repository references without semantic tags. The actor turned them into a distribution system: every commit generates a new referenceable version, multiplying propagation opportunities.
This approach far exceeds typical typo-squatting or single-repository operations. With 1,200 versions available, an actor can vary recommended references across forums, documentation, or issue replies, making tracking and blocking extremely difficult. Distribution across 190 separate accounts adds resilience: removing one account does not compromise the entire network.
"The public sources are the dead-drop locations embedded in the script, including Pastebin, Rlim, Muck-themed infrastructure, and fallback locations on public platforms such as YouTube, Instagram, Telegram, Google Docs, and GitCode."
Public Dead Drops: When Trusted Platforms Become C2 Infrastructure
The infection chain does not rely on proprietary infrastructure but on an ecosystem of public platforms already whitelisted in corporate firewalls. The dead drops — temporary collection points for payloads and commands — include Pastebin, Rlim, YouTube, Instagram, Telegram, Google Docs, and GitCode. This architecture renders reputation-based network blocking ineffective: a firewall that permits access to Google Docs or YouTube cannot distinguish between legitimate use and malicious script retrieval without content inspection.
Scripts retrieved from the dead drops execute a structured sequence: a resolver locates encrypted payload metadata, decrypts the actual URLs, downloads a password-protected archive, extracts it, and executes. The archive's password protection adds another layer of obfuscation against automated analysts.
The Payloads: RATs, Infostealers, and Miners in a Multi-Stage Arsenal
Socket identified at least 14 unique malware files in the actor's workflow repositories. Confirmed final payloads include AsyncRAT, Quasar RAT, and a Remcos-style RAT — remote access tools that provide persistent control over compromised machines. The arsenal also comprises infostealers, spyware, and trojan loaders/downloaders. Specific samples include Vidar, an infostealer known for stealing browser data and credentials, and XMRig/BitMiner for cryptocurrency mining.
The multiplicity of payloads suggests operators interested in both espionage and immediate profit, or in selling access to third parties. Distribution through a Go module — typically installed in development and build environments — potentially exposes developer workstations and, via CI/CD pipelines, build servers and production artifacts.
Traces of a Recurring Actor: The "ischhfd83" Overlap
Researchers identified overlaps with previous activity associated with the email address "ischhfd83" and "Muck-themed" domains. This correlation indicates the operation is not a debut but the evolution of an ongoing campaign, with the actor refining their modus operandi over time. However, no infrastructure overlaps link the actor to known, documented threat groups at this stage.
The actor's identity remains unknown. The dossier does not specify geography, primary motive, or any identified victims by name. It is also undocumented whether the repositories have been removed by GitHub at the time of the report's publication.
What to Do Now
For teams using Go modules in development or production environments, priority actions derive directly from the attack mechanism:
- Verify references to Go modules with pseudo-versions generated from recent commits lacking stable semantic tags, especially if associated with repositories showing sparse or repetitive commit histories.
- Inspect module source code before installation, paying particular attention to apparently empty strings or anomalous whitespace formatting.
- Monitor PowerShell executions in development environments, where script-execution policies are often more permissive than in production.
- Segment CI/CD pipelines to prevent third-party modules from executing code with elevated privileges on build servers.
Why This Attack Redefines Supply Chain Risk
Operation Muck and Load exploits neither a zero-day vulnerability nor a misconfiguration: it abuses legitimate mechanisms of the world's largest collaborative development ecosystem. The confidence developers place in automated versioning, visible commit history, and GitHub presence becomes the infection vector itself. The use of pseudo-versions as a distribution vehicle makes defense based solely on known-version blocklists impossible: every new commit is a new version, every new version a potential new payload.
The maturation of this model — from manual typo-squatting repository creation to industrial-scale version automation via CI/CD — signals a transition in the software supply chain threat landscape. Threat actors no longer merely imitate open source: they weaponize it from within, exploiting the very infrastructure that makes open source scalable.
Frequently Asked Questions
What is a Go pseudo-version and why is it vulnerable to this abuse?
A pseudo-version is an automatically generated identifier Go creates when a module is referenced by a commit without a semantic tag, in the format v0.0.0-timestamp-commithash. It is legitimate for development and direct dependencies, but its automatic generation allows an actor to produce unlimited referenceable versions without requiring platform approval or review.
How does the malware evade security tools?
The initial payload hides in strings padded with excessive whitespace, a format many superficial scanners ignore. The infection chain is multi-stage: the module itself contains no executable malware but a PowerShell command that retrieves further stages from whitelisted public platforms, rendering isolated static analysis ineffective.
Is this incident related to GitHub vulnerability CVE-2026-3854?
No. CVE-2026-3854 is a distinct RCE vulnerability unrelated to Operation Muck and Load. The two incidents share no TTPs, infrastructure, or actors.
Sources
- https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/
- https://thehackernews.com/2026/04/researchers-discover-critical-github.html
- https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
- https://securityboulevard.com/2026/04/the-growing-abuse-of-github-and-gitlab-in-phishing-campaigns/
- https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
- https://github.com/advisories/GHSA-64fw-jx9p-5j24
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Threat%20Intelligence
- https://thehackernews.com/search/label/Vulnerability
Information verified against cited sources and current as of publication.