Malicious Go Modules Spread Disk-Wiping Linux Malware
Cybersecurity researchers have recently uncovered three harmful Go modules that utilize obfuscated code to fetch unsafe payloads, which can irreversibly damage Linux systems. These modules appear to be legitimate but are designed to execute remote payloads that wipe a system's primary disk, rendering it unbootable.
Table of Contents
Identified Unsafe Go Packages
The following Go modules are implicated:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
These packages contain highly obfuscated code, which is engineered to download and execute payloads when run on a Linux system.
Destructive Payloads Overwrite Critical Disk Data
The damaged code checks for a Linux operating system and, if detected, uses wget to fetch a next-stage payload from a remote server. This payload is a destructive shell script that overwrites the system's primary disk (/dev/sda) with zeroes. As a result, the system becomes unbootable, and no data recovery tools or forensic processes can restore the lost information, as the disk is irreversibly destroyed. This method highlights the extreme risks posed by supply-chain attacks, where legitimate code can cause catastrophic damage to Linux servers and developer environments.
Growing Threat from Fraudulent npm Packages
Alongside the discovery of unsafe Go modules, multiple harmful npm packages have also been detected. These packages are designed to harvest sensitive information, which may include mnemonic seed phrases and private cryptocurrency keys, which can lead to the theft of users' digital assets.
Suspicious npm Packages Identified
The following npm packages have been flagged as tampered:
- crypto-encrypt-ts
- react-native-scrollpageviewtest
- bankingbundleserv
- buttonfactoryserv-paypal
- tommyboytesting
- compliancereadserv-paypal
- oauth2-paypal
- paymentapiplatformservice-paypal
- userbridge-paypal
- Userrelationship-paypal
These packages are viciously crafted to exfiltrate sensitive information, posing a massive threat to users' privacy and security.
Malware-Laden PyPI Packages Harvest Cryptocurrency Data
The Python Package Index (PyPI) repository has also seen the rise of compromised packages targeting cryptocurrency wallets. These packages have been downloaded over 6,800 times since their release in 2024 and are designed to steal mnemonic seed phrases, compromising users' cryptocurrency holdings.
Notable Unsafe PyPI Packages
Two key packages targeting cryptocurrency wallets include:
- web3x
- herewalletbot
These packages aim to siphon mnemonic seed phrases from users, jeopardizing their digital assets. Additionally, another set of seven PyPI packages, which have now been removed, was discovered using Gmail's SMTP servers and WebSockets to exfiltrate data and establish remote access.
Gmail-Based Data Exfiltration and Remote Command Execution
The unsafe PyPI packages use hard-coded Gmail credentials to sign in to Gmail's SMTP server and send a message to another Gmail address to indicate a successful compromise. After this, a WebSocket connection is established, allowing the attacker to maintain bidirectional communication with the compromised system.
The use of Gmail domains (smtp.gmail.com) makes these attacks more stealthy, as corporate proxies and endpoint protection systems are less likely to flag them as suspicious, given the trust associated with Gmail services.
Standout Package: cfc-bsb
The package cfc-bsb is noteworthy as it does not feature Gmail functionality but instead uses WebSocket logic to facilitate remote access, bypassing traditional detection measures.
How to Mitigate Supply Chain Threats
To protect against these harmful packages and other supply chain threats, developers should adopt the following practices:
- Verify Package Authenticity: Check the publisher's history and GitHub repository links to ensure the package's legitimacy.
- Audit Dependencies Regularly: Routinely audit dependencies and ensure that they are up-to-date and free from malicious code.
- Enforce Strict Access Controls: Implement strict access control mechanisms to protect private keys and other sensitive credentials.
Additionally, developers should remain vigilant for unusual outbound connections, particularly SMTP traffic, as attackers may use legitimate services like Gmail for data exfiltration. It is also crucial to avoid trusting a package solely because it has existed for a long time without being removed, as this could mask unsafe activity.
