Malicious Go module published June 24, 2022 steals SSH credentials via Telegram bot, evading detection.