Cybersecurity researchers have unearthed three malicious Go modules containing encrypted code to access subsequent destructive payloads that can permanently corrupt a Linux system’s main drive and make it unbootable.
The names of the modules are as follows –
- github[.]com/truthfulpharm/prototransform
- github[.]com/blankloggia/go-mcp
- github[.]com/steelpoor/tlsproxy
“Despite their seemingly legitimate appearance, these modules harbored heavily obfuscated code intended to retrieve and execute remote payloads,” revealed Socket researcher Kush Pandya stated.
The packages are programmed to verify if the system they are operating on is Linux, and if affirmative, fetch a subsequent payload from a remote server using wget.
The payload is a harmful shell script that overwrites the entire primary disk (“/dev/sda”) with zeroes, effectively preventing the system from booting.
“This destructive technique ensures no data recovery tool or forensic process can retrieve the data, as it directly and irreversibly overwrites it,” added Pandya.
“This malevolent script leaves targeted Linux servers or developer environments completely incapacitated, underscoring the severe threat posed by modern supply-chain attacks that can transform seemingly reliable code into disastrous hazards.”
The revelation coincides with the identification of multiple malicious npm packages in the registry designed to pilfer mnemonic seed phrases and private cryptocurrency keys and extract sensitive data. The list of packages, identified by Socket, Sonatype, and Fortinet is as follows –
- crypto-encrypt-ts
- react-native-scrollpageviewtest
- bankingbundleserv
- buttonfactoryserv-paypal
- tommyboytesting
- compliancereadserv-paypal
- oauth2-paypal
- paymentapiplatformservice-paypal
- userbridge-paypal
- userrelationship-paypal
Additionally, malware-infested packages targeting cryptocurrency wallets have been identified in the Python Package Index (PyPI) repository – web3x and herewalletbot – capable of siphoning mnemonic seed phrases. These packages have collectively been downloaded over 6,800 times since their publication in 2024.
Another batch of seven PyPI packages have been discovered leveraging Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution in an effort to evade detection. The packages, which have now been removed, are listed as follows –
- cfc-bsb (2,913 downloads)
- coffin2022 (6,571 downloads)
- coffin-codes-2022 (18,126 downloads)
- coffin-codes-net (6,144 downloads)
- coffin-codes-net2 (6,238 downloads)
- coffin-codes-pro (9,012 downloads)
- coffin-grave (6,544 downloads)
The packages utilize hardcoded Gmail account credentials to log into the service’s SMTP server and dispatch a message to another Gmail address signaling a successful breach. Subsequently, they establish a WebSocket connection to create a bidirectional communication channel with the attacker.
The threat actors exploit the credibility associated with Gmail domains (“smtp.gmail[.]com”) and the likelihood that corporate proxies and endpoint protection systems will not flag it as suspicious, making it both discreet and dependable.
One package that sets itself apart from the rest is cfc-bsb, which lacks the Gmail-related functionality but incorporates WebSocket logic to enable remote access.
To mitigate the risks posed by such supply chain threats, developers are advised to authenticate package legitimacy by verifying publisher history and GitHub repository links, regularly audit dependencies, and enforce stringent access controls on private keys.
“Be vigilant for unusual outbound connections, particularly SMTP traffic, as attackers can exploit legitimate services like Gmail to pilfer sensitive data,” advised Socket researcher Olivia Brown. “Do not place blind trust in a package simply because it has been in existence for several years without being removed.”
