Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure Network

Confirmed
Discovered Jul 8, 2026

A deceptive Go module exposed a Windows malware-staging chain and a high-confidence GitHub lure network of 222 repositories across 190 accounts.

1
Affected Packages
8
Observables
1
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
github.com/kaleidora/dnsub-scanning-tool
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
muckcoding[.]com
go[.]sum
muckdeveloper[.]com
go[.]mod
protected archive download

Analysis

Executive Summary

A deceptive Go module exposed a Windows malware-staging chain and a high-confidence GitHub lure network of 222 repositories across 190 accounts. [1]

Socket reports that github[.]com/kaleidora/dnsub-scanning-tool impersonated a DNS/subdomain scanner and launched hidden PowerShell. Socket conservatively validated 222 repositories across 190 accounts by requiring both a linked email and a synthetic GitHub Actions commit-farming workflow. The source says the Go team blocked the module from the module proxy and explicitly calls Muck and Load a tracking label, not an attribution boundary. [1]

Key Facts

Analysis table
FactValue
Affected Artifactgithub.com/kaleidora/dnsub-scanning-tool
Ecosystemgo, github
Malicious VersionsPublic source inventory is dynamic or exact versions were not reproduced here
Exposure WindowOngoing as of 2026-07-08
Immediate ActionPreserve evidence, isolate systems where execution occurred, and rotate exposed secrets from a clean host

Evidence Assessment

Analysis table
AssessmentClaimEvidence
Confirmed by reportinguse of the deceptive Go module leads to hidden PowerShell execution on WindowsSource 1
Confirmed by reportingpublic dead-drop resolution; protected archive delivery; RAT and infostealer staging; synthetic GitHub Actions commit farmingSource 1
UnclearComplete victim count, exact exposure per organization, and exhaustive version listNot established by the supplied sources

Impact Determination

Analysis table
Exposure ClassificationCriteriaRequired EvidenceRequired ActionClosure Gate
Confirmed compromisePayload execution or matching malicious artifact/process/network evidenceHost timeline, dependency metadata, process and network logsIsolate, preserve, rebuild, rotate exposed credentialsKnown-good rebuild plus negative hunts and downstream identity audit
Exposure onlyAffected selector present but no execution evidenceLockfile/repository history and installation logsQuarantine artifact and investigateDocumented non-execution determination

Minimum Evidence To Collect

  • Dependency and repository records: collect lockfiles, package caches, Git history, release metadata, and CI logs to establish whether an affected selector reached the environment.
  • Endpoint evidence: collect process trees, shell history, EDR telemetry, persistence records, and network logs to distinguish dependency presence from payload execution.
  • Identity evidence: collect repository, registry, cloud, and secret-access audit logs because developer execution can expose tokens available to the process.

Timeline

  • 2026-07-08 UTC: Supplied research was published or updated; exact malicious publication times remain in the source's evolving inventory. [1]

What Happened

Socket reports that github[.]com/kaleidora/dnsub-scanning-tool impersonated a DNS/subdomain scanner and launched hidden PowerShell. Socket conservatively validated 222 repositories across 190 accounts by requiring both a linked email and a synthetic GitHub Actions commit-farming workflow. The source says the Go team blocked the module from the module proxy and explicitly calls Muck and Load a tracking label, not an attribution boundary. [1]

Initial Access

Socket reports that github[.]com/kaleidora/dnsub-scanning-tool impersonated a DNS/subdomain scanner and launched hidden PowerShell. Socket conservatively validated 222 repositories across 190 accounts by requiring both a linked email and a synthetic GitHub Actions commit-farming workflow. The source says the Go team blocked the module from the module proxy and explicitly calls Muck and Load a tracking label, not an attribution boundary. [1]

Execution Trigger

Use of the deceptive go module leads to hidden powershell execution on windows. [1]

Payload Behavior

Reported behaviors include public dead-drop resolution; protected archive delivery; RAT and infostealer staging; synthetic GitHub Actions commit farming. [1]

Credential or Data Collection

Treat credentials accessible to an executed developer process as potentially exposed. This is a response assumption, not proof that every listed credential was collected.

Defense Evasion

The supplied reporting describes techniques intended to hide malicious changes or execution in trusted developer workflows. [1]

Exfiltration and Command and Control

Use the machine-readable profile only for sourced infrastructure. Absence of an IOC here does not establish absence of network activity.

Affected Assets and Blast Radius

Prioritize developer workstations, CI runners, repositories, package caches, and credentials present during execution. Presence alone is exposure; execution evidence raises the case to confirmed compromise.

Indicators of Compromise

See iocs.json; prose intentionally avoids presenting source/advisory URLs as attacker IOCs.

Detection and Hunting

Run scripts/hunt_operation_muck_and_load_github_go.py PATH. It recursively scans exported text, JSON, CSV, lockfiles, and logs for the incident-specific selectors embedded in the script. A match is a triage lead, not proof. False positives include documentation or threat-intelligence records. Escalate matches by preserving the file and correlating timestamps with process/network telemetry.

Downstream Abuse Audits

If execution is confirmed, audit repository token use, package publication, CI workflow changes, cloud sessions, and newly created credentials from the first possible exposure time. Rotate secrets from a clean host.

Remediation and Recovery Gates

  1. Preserve dependency, repository, endpoint, and identity evidence before cleanup.
  2. Stop package installation and isolate systems with execution evidence.
  3. Revoke active sessions and rotate process-accessible credentials from a clean machine.
  4. Remove malicious artifacts, inspect persistence, and rebuild confirmed-compromised systems.
  5. Restore only verified releases and lockfiles; require review of developer-task configuration and repository history.
  6. Audit downstream repository, registry, CI, and cloud activity.
  7. Close only after negative hunts, verified rebuilds, completed credential decisions, and a documented UTC incident timeline.

Open Questions

  • Which exact versions and release timestamps intersect the organization's dependency history?
  • Did the payload execute, and which credentials were present?
  • Are additional artifacts still being added to the source's live inventory?

Timeline

3 of 3 rows

Timeline
DateEventDescriptionSource
Jul 8, 2026DiscoveryDiscovery recorded for Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure Network.Socket
Jul 8, 2026DisclosureDisclosure recorded for Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure Network.Socket
Jul 8, 2026Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure NetworkUnknownSocket

Affected Software

1 of 1 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
github.com/kaleidora/dnsub-scanning-toolgounknownMalicious90%Socket

IOC Clipboard

8 IOCs
domainmuckcoding.com
file_pathgo.sum
domainmuckdeveloper.com
file_pathgo.mod
network_patternprotected archive download
commanddnsub-scanning-tool
network_patternpublic dead-drop retrieval
commandpowershell.exe

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure Network evidence scopePythonDo exported repository, dependency, endpoint, or network records contain incident selectors?scripts/hunt_operation_muck_and_load_github_go.py opens in a new tabSocket

Hunt Manifest: Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure Network evidence scope

Title
Operation Muck and Load Uses a Malicious Go Module and a 222-Repository GitHub Lure Network evidence scope
Question
Do exported repository, dependency, endpoint, or network records contain incident selectors?
Telemetry Family
Python
Repository
scripts/hunt_operation_muck_and_load_github_go.py
Show tested hunting scriptscripts/hunt_operation_muck_and_load_github_go.py
scripts/hunt_operation_muck_and_load_github_go.py opens in a new tabPython
#!/usr/bin/env python3
"""Static scanner for operation-muck-and-load-github-go; never executes artifacts."""
import pathlib,sys,json
SELECTORS=['dnsub-scanning-tool', 'github.com/kaleidora/dnsub-scanning-tool', 'github.com/kaleidora/dnsub-scanning-tool unknown', 'go.mod', 'go.sum', 'muckcoding.com', 'muckdeveloper.com', 'powershell.exe', 'protected archive download', 'public dead-drop retrieval']
def scan(root):
 out=[]
 for p in pathlib.Path(root).rglob('*'):
  if not p.is_file(): continue
  try: text=p.read_text(errors='ignore').lower()
  except OSError: continue
  hits=[s for s in SELECTORS if s.lower() in text]
  if hits: out.append({'path':str(p),'selectors':hits})
 return out
if __name__=='__main__':
 if len(sys.argv)!=2: raise SystemExit('usage: hunt_operation_muck_and_load_github_go.py PATH')
 hits=scan(sys.argv[1]); print(json.dumps(hits,indent=2)); raise SystemExit(2 if hits else 0)

Provenance & Sources

1 of 1 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
SocketVendor95%1A deceptive Go module exposed a Windows malware-staging chain and a high-confidence GitHub lure network of 222 repositories across 190 accounts.