In a move that can only be described as adorably conniving, a Go module has decided it’s tired of being just a one-trick brute-force tool. Instead, it’s moonlighting as a master thief, smugly siphoning off credentials and chatting up its owner via Telegram. Because who needs subtlety when you have encrypted instant messaging?

This module, which pretends to be a brutish force of cyber strategy, is secretly more of a sneaky puppet master. Its creator has so artfully pulled the strings that the module doesn’t just crack SSH logins—it collects them like rare Pokémon cards and hands them over to its master with the same enthusiasm of a pet bringing home a dead bird.

Kirill Boychenko, a digital Sherlock from Socket, uncovered the twisted hobby of this module. Apparently, on scoring its first successful hack, it sends a congratulatory message along with a neat little package of stolen credentials to a Telegram bot. Presumably, the creator waits eagerly, like a proud parent on graduation day, checking their phone for the latest ‘success’ updates.

So next time you’re choosing a tool for your SSH needs, remember: some of them may come with a little more personality—and a whole lot more shady business—than you bargained for. Choose wisely, lest your credentials become the next addition to a hacker’s Telegram trophy cabinet.