reverse_ssh

reverse_ssh is an open-source Golang reverse shell / reverse SSH tool. In the provided reporting, it was identified as functionality used by malware to establish reverse SSH connections to attacker-controlled endpoints. Tenable Research reported that a malicious npm package, ambar-src, delivered a Linux payload identified as a client of github.com/NHAS/reverse_ssh. The package executed via an npm preinstall script, meaning compromise could occur on installation without importing or running the package directly. The campaign targeted Windows, Linux, and macOS developers, with Linux infections fetching a shell script from x-ya[.]ru that downloaded and executed an ELF binary saved as osa; one Linux payload was specifically identified as an NHAS/reverse_ssh client. Reported Linux-related hashes include the shell script SHA-256 8963568963f770e237bff2b228106e4ce7ebb0a1af0e0cf7b26028bdc8515bc5, a Linux payload SHA-256 83e131a2761d6f3a5636cf329182242a927a618174dd440989dc9286be4edeac, and an NHAS/reverse_ssh payload SHA-256 1e6fa5021db4dd40b571cc4e654a71c22d0f607d13fb8a4a5a46a64060f3071e. Separately, SentinelLABS reported that the China-nexus activity cluster PurpleHaze used a Go-based Windows backdoor named GoReShell that leveraged functionality from the open-source reverse_ssh tool to establish reverse SSH connections to attacker-controlled endpoints. SentinelLABS assessed PurpleHaze with high confidence as China-nexus and loosely linked it to APT15. High-confidence infrastructure and delivery details directly mentioned in the content include x-ya[.]ru as the staging domain in the npm supply-chain campaign.