Supply Chain Attack Wipes Linux Disks with Malicious Go Modules

Cybersecurity researchers have just uncovered three nasty Go modules that could completely wipe your system's hard drive. These modules contain sneaky, hidden code designed to fetch even more malicious payloads. If triggered, these payloads can overwrite your main disk, leaving your system unbootable – permanently.

Here are the names of the troublemakers:

• github[.]com/truthfulpharm/prototransform
• github[.]com/blankloggia/go-mcp
• github[.]com/steelpoor/tlsproxy

"Even though they look harmless, these modules are packing heavily obfuscated code that grabs and runs remote payloads," explains Kush Pandya, a researcher at Socket. He warned about the threat.

So, how do they work? The modules first check if they're running on a Linux system. If the answer is yes, they download a second-stage payload from a remote server, usually using wget.

And here's the really scary part: that payload is a shell script designed to completely overwrite your primary disk (/dev/sda – learn more about it here) with zeros. This effectively bricks your machine.

Pandya emphasizes the severity: "This method is designed to prevent any data recovery. It directly and irreversibly overwrites the data, making it impossible to restore."

This all adds up to a seriously crippled Linux server or developer environment. It's a stark reminder of how supply-chain attacks can turn seemingly trustworthy code into a complete disaster.

More Bad News: Malicious npm and PyPI Packages on the Rise

And it doesn't stop there. Researchers have also found a bunch of malicious npm packages designed to steal mnemonic seed phrases, private crypto keys, and other sensitive data. Here's a quick list, identified by Socket, Sonatype, and Fortinet:

• crypto-encrypt-ts
• react-native-scrollpageviewtest
• bankingbundleserv
• buttonfactoryserv-paypal
• tommyboytesting
• compliancereadserv-paypal
• oauth2-paypal
• paymentapiplatformservice-paypal
• userbridge-paypal
• userrelationship-paypal

It's not just npm either. The Python Package Index (PyPI) has also been hit with malware targeting crypto wallets. Packages like web3x and herewalletbot can steal your mnemonic seed phrases. Since being published in 2024, they've been downloaded over 6,800 times.

Another seven PyPI packages were discovered using Gmail's SMTP servers and WebSockets to sneak data out and execute remote commands – all in an attempt to stay under the radar. These packages, which have since been removed, include:

• cfc-bsb (2,913 downloads)
• coffin2022 (6,571 downloads)
• coffin-codes-2022 (18,126 downloads)
• coffin-codes-net (6,144 downloads)
• coffin-codes-net2 (6,238 downloads)
• coffin-codes-pro (9,012 downloads)
• coffin-grave (6,544 downloads)

These packages use hard-coded Gmail credentials to log in and send a "success" message. Then, they open a WebSocket connection for two-way communication with the attacker.

The attackers are banking on the trust associated with Gmail domains (smtp.gmail[.]com). Corporate proxies and security systems often overlook this traffic, making the attack stealthy and reliable.

One package, cfc-bsb, stands out. It skips the Gmail trick but still uses WebSockets for remote access.

How to Protect Yourself

So, what can you do to stay safe from these supply chain attacks? Here are a few key steps:

• Verify Package Authenticity: Check the publisher's history and GitHub repository links.
• Audit Dependencies Regularly: Keep a close eye on what your code relies on.
• Enforce Strict Access Controls: Protect your private keys.

As Socket researcher Olivia Brown points out: "Watch for unusual outbound connections, especially SMTP traffic, since attackers can use legitimate services like Gmail to steal sensitive data. Don't trust a package *just* because it's been around for years without being taken down."