CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have exposed a sophisticated supply chain attack that targets Go developers, deploying malicious Go modules engineered to wipe entire disks. This attack, detected in April 2025, leverages the decentralized nature of Go's module system to introduce destructive payloads into unsuspecting developers' projects. The malicious modules use obfuscation techniques to conceal their true purpose, fetching remote shell scripts that, when executed, irreversibly overwrite the primary storage device of Linux systems with zeros, rendering them unbootable.
The three identified malicious Go modules are github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy. Despite appearing legitimate, these modules contain highly obfuscated code designed to retrieve and execute remote payloads. The attackers exploit the Go ecosystem's openness, where developers directly import dependencies from public repositories like GitHub without centralized gatekeeping. This lack of strict validation enables attackers to use namespace confusion and typosquatting, tricking developers into integrating destructive payloads into their projects.
This attack highlights the escalating risks present in open-source supply chains. Once included in a project, the malicious code fetches a destructive shell script, such as "done.sh", from attacker-controlled servers. This script then uses the 'dd' command to overwrite the entire primary disk, causing complete data loss and prolonged operational downtime, with no hope for data recovery. Developers are urged to verify package authenticity, audit dependencies, and enforce strict access controls on private keys to mitigate supply chain threats targeting Linux, npm, Python, and PyPI ecosystems.
ImgSrc: blogger.googleu
References :
The three identified malicious Go modules are github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy. Despite appearing legitimate, these modules contain highly obfuscated code designed to retrieve and execute remote payloads. The attackers exploit the Go ecosystem's openness, where developers directly import dependencies from public repositories like GitHub without centralized gatekeeping. This lack of strict validation enables attackers to use namespace confusion and typosquatting, tricking developers into integrating destructive payloads into their projects.
This attack highlights the escalating risks present in open-source supply chains. Once included in a project, the malicious code fetches a destructive shell script, such as "done.sh", from attacker-controlled servers. This script then uses the 'dd' command to overwrite the entire primary disk, causing complete data loss and prolonged operational downtime, with no hope for data recovery. Developers are urged to verify package authenticity, audit dependencies, and enforce strict access controls on private keys to mitigate supply chain threats targeting Linux, npm, Python, and PyPI ecosystems.
ImgSrc: blogger.googleu
Share:
References :
- Cyber Security News: Go‑Powered Supply‑Chain Hack Deploys Disk‑Wipers, Erasing Critical Data at Scale
- gbhackers.com: Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss
- The Hacker News: Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack
- socket.dev: A single line of obfuscated Go code wiped entire disks clean.
- Talkback Resources: Developers are urged to verify package authenticity, audit dependencies, and enforce strict access controls on private keys to mitigate supply chain threats targeting Linux, npm, Python, and PyPI ecosystems.
Classification:
- HashTags: #SupplyChainAttack #GoLang #DiskWiper
- Company: Socket
- Target: Go Developers
- Product: Go Modules
- Feature: Supply Chain Attack
- Malware: Go Modules
- Type: Malware
- Severity: Disaster