A malware campaign that researchers have dubbed "Operation Muck and Load" used a fake Go programming tool to spread malicious code across the GitHub platform, according to Tom's Hardware.

The lure was a bogus DNS scanner written in Go, a popular open-source language often used to build networking and infrastructure software. Developers who pulled the module into their own projects risked pulling in malware along with it.

According to Tom's Hardware, the operation has published roughly 700 malicious modules since January, spread across more than 200 GitHub repositories — 222 in total once researchers had traced the full campaign.

The report also details how persistent the effort was. The fake module published its first version on January 24 of this year and has since accumulated more than 1,200 versions. Churning out large numbers of versions is a common tactic in this kind of attack: it helps a package look active and legitimate, and it gives attackers many chances to slip tainted code past anyone reviewing it.

What makes campaigns like this hard to stop is that they target the software supply chain rather than end users directly. Developers routinely trust and reuse code from public repositories, so a single poisoned module can quietly reach many downstream projects — and, eventually, the people who use the apps built on top of them.

Why it matters: the story is a reminder that the open-source components underpinning modern software can be weaponized at scale, and that even code from well-known platforms like GitHub deserves scrutiny before it is trusted.