Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system’s primary disk and render it unbootable.

The names of the packages are listed below –

• github[.]com/truthfulpharm/prototransform
• github[.]com/blankloggia/go-mcp
• github[.]com/steelpoor/tlsproxy

“Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads,” Socket researcher Kush Pandya said.

The packages are designed to check if the operating system on which they are being run is Linux, and if so retrieve a next-stage payload from a remote server using wget.

The payload is a destructive shell script that overwrites the entire primary disk (“/dev/sda”) with zeroes, effectively preventing the machine from booting up.

“This destructive method ensures no data recovery tool or forensic process can restore the data, as it directly and irreversibly overwrites it,” Pandya said.

“This malicious script leaves targeted Linux servers or developer environments entirely crippled, highlighting the extreme danger posed by modern supply-chain attacks that can turn seemingly trusted code into devastating threats.”

The disclosure comes as multiple malicious npm packages have been identified in the registry with features to steal mnemonic seed phrases and private cryptocurrency keys and exfiltrate sensitive data. The list of the packages, identified by Socket, Sonatype, and Fortinet is below –

• crypto-encrypt-ts
• react-native-scrollpageviewtest
• bankingbundleserv
• buttonfactoryserv-paypal
• tommyboytesting
• compliancereadserv-paypal
• oauth2-paypal
• paymentapiplatformservice-paypal
• userbridge-paypal
• userrelationship-paypal

Malware-laced packages targeting cryptocurrency wallets have also been discovered in the Python Package Index (PyPI) repository – web3x and herewalletbot – with capabilities to siphon mnemonic seed phrases. These packages have been collectively downloaded more than 6,800 times since getting published in 2024.

Another set of seven PyPI packages have been found leveraging Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution in an attempt to evade detection. The packages, which have since been removed, are as follows –

• cfc-bsb (2,913 downloads)
• coffin2022 (6,571 downloads)
• coffin-codes-2022 (18,126 downloads)
• coffin-codes-net (6,144 downloads)
• coffin-codes-net2 (6,238 downloads)
• coffin-codes-pro (9,012 downloads)
• coffin-grave (6,544 downloads)

The packages use hard-coded Gmail account credentials to sign-in to the service’s SMTP server and send a message to another Gmail address to signal a successful compromise. They subsequently establish a WebSocket connection to establish a bidirectional communication channel with the attacker.

The threat actors take advantage of the trust associated with Gmail domains (“smtp.gmail[.]com”) and the fact that corporate proxies and endpoint protection systems are unlikely to flag it as suspicious, making it both stealthy and reliable.

The package that apart from the rest is cfc-bsb, which lacks the Gmail-related functionality, but incorporates the WebSocket logic to facilitate remote access.

To mitigate the risk posed by such supply chain threats, developers are advised to verify package authenticity by checking publisher history and GitHub repository links; audit dependencies regularly; and enforce strict access controls on private keys.

“Watch for unusual outbound connections, especially SMTP traffic, since attackers can use legitimate services like Gmail to steal sensitive data,” Socket researcher Olivia Brown said. “Do not trust a package solely because it has existed for more than a few years without being taken down.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com