Security researchers have discovered wiper malware hidden within Golang modules on public GitHub repositories. They appear to a supply-chain attack targeting Linux servers, erasing them entirely upon a successful launch.
The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:
- github[.]com/truthfulpharm/prototransform
- github[.]com/blankloggia/go-mcp
- github[.]com/steelpoor/tlsproxy
All three modules contained obfuscated code that decodes into commands that use ‘wget’ to download the malicious data-wiping script (/bin/bash or /bin/sh).
According to Socket researchers, the payloads are executed immediately after download, “leaving virtually no time for response or recovery.”
These Go modules take advantage of typosquating, an attack that involves impersonating a legitimate service or product. A potential victim may accidentally ‘wget’ a malicious module through a simple misspelling.
The malicious Go modules appear to have impersonated legitimate projects for converting message data to various formats (Prototransform), a Go implementation of the Model Context Protocol (go-mcp), and a TLS proxy tool that provides encryption for TCP and HTTP servers (tlsproxy).
Socket researchers warn that even minimal exposure to the analyzed destructive modules can significantly impact such as complete data loss.
Because of the decentralized nature of the Go ecosystem that lacks proper checks, packages from different developers can have the same or similar names.
Attackers can leverage this to create module namespaces that appear legitimate and wait for developers to integrate the malicious code into their projects.