Cyber-security firm Socket has identified 11 malicious Go modules uploaded to GitHub that surreptitiously download second-stage payloads capable of running on both Windows and Linux systems. The code silently spawns a shell, fetches additional binaries from .icu and .tech command-and-control domains, and can exfiltrate browser data, according to researcher Olivia Brown. The attacker mimicked legitimate package names to exploit confusion in the Go ecosystem, which lets developers import code directly from GitHub. Reuse of infrastructure and coding patterns suggests a single threat actor is behind the campaign. Separately, two npm libraries, naya-flore and nvlore-hsc, were found to pose as WhatsApp socket tools while containing a phone-number-based kill switch that can recursively delete files. Published in early July, the pair have been downloaded more than 1,110 times and remain on the npm registry. Researchers also reported an AI-generated npm package that siphoned Solana funds from over 1,500 users before it was removed. The discoveries underscore the growing risk of software-supply-chain attacks as threat actors increasingly seed open-source repositories with cross-platform malware.