Executive Summary
A deceptive Go module exposed a Windows malware-staging chain and a high-confidence GitHub lure network of 222 repositories across 190 accounts. [1]
Socket reports that github[.]com/kaleidora/dnsub-scanning-tool impersonated a DNS/subdomain scanner and launched hidden PowerShell. Socket conservatively validated 222 repositories across 190 accounts by requiring both a linked email and a synthetic GitHub Actions commit-farming workflow. The source says the Go team blocked the module from the module proxy and explicitly calls Muck and Load a tracking label, not an attribution boundary. [1]