Malicious Go Modules Deploying Disk-Wiping Malware

Summary

Socket uncovered a highly destructive supply-chain attack targeting Go developers through malicious Go modules. The attackers exploited Go's decentralized and open module ecosystem to distribute obfuscated modules that ultimately delivered a disk-wiping payload.

The attack leveraged namespace confusion and the lack of central gatekeeping in the Go ecosystem, making it difficult for developers to distinguish legitimate modules from malicious ones. Three modules—prototransform, go-mcp, and tlsproxy—were found to contain obfuscated code designed to fetch and execute remote threats.

Figure 1 - Multiple similarly named Go modules creating namespace confusion (Source – Socket.dev)

Technical Analysis

Attackers cleverly masked their intent using array-based string obfuscation combined with dynamic payload execution. Here’s how one malicious module (truthfulpharm/prototransform) employed this technique:

Figure 2 – Obfuscation Technique (Source – Socket.dev)

Figure 3 – Decoded malicious commands (Source – Socket.dev)

The decoded intent of the malicious modules reveals a clear objective: to fetch and immediately execute a destructive shell script named done.sh from an attacker-controlled URL (https://vanartest[.]website/storage/de373d0df/a31546bf). This rapid execution leaves little to no opportunity for response or mitigation. Additional URLs with a similar structure were identified in the other malicious modules, now offline, including:

hxxps://kaspamirror[.]icu/storage/de373d0df/a31546bf hxxp://147.45.44[.]41/storage/de373d0df/ccd7b46d.

The payload is designed to specifically target Linux systems, verifying the operating system before execution to ensure it primarily affects Linux-based servers or developer environments.

The payload retrieved from one of the malicious URLs contains a highly destructive shell script named done.sh, designed to irreversibly wipe the system:

Figure 4 – done.sh script (Source – Socket.dev)

This script leverages the dd utility, a powerful Unix command, to copy zeros from /dev/zero directly onto /dev/sda—the primary disk of most Linux systems. This action is catastrophic for several reasons:

• /dev/sda typically contains the operating system, user files, databases, and critical configurations.

• Overwriting this disk with zeros doesn't simply delete data—it completely erases every byte, effectively destroying the entire file system and operating environment.

• The result is a system that becomes unbootable and beyond recovery, even with advanced forensic or data restoration tools.

This script directly targets the core storage device, rendering affected Linux servers or developer machines entirely inoperable. It underscores the severe risks posed by modern supply-chain attacks, where malicious actors can weaponize seemingly legitimate code to deliver devastating payloads.

Recommendations

• Avoid importing Go modules directly from unknown or unofficial GitHub repositories. Prefer modules maintained by verified authors or hosted on reputable sources.

• Conduct periodic reviews of all third-party packages used in your projects. Use automated tools to scan for known vulnerabilities and suspicious behaviors.

• Provide training on identifying suspicious modules, namespace confusion, and the risks of implicit trust in open source ecosystems.

• Set up monitoring to detect unusual outbound connections from development or CI/CD environments, especially to unrecognized IPs or domains.

• If a malicious module is identified, report it to GitHub and Go maintainers to help protect the wider community.

Conclusion

The identification of the malicious Go modules—prototransform, go-mcp, and tlsproxy— underscores the ongoing and evolving risks within open-source ecosystems. By taking advantage of namespace ambiguity and the inherent trust developers place in publicly available code, attackers can insert destructive payloads capable of causing irreversible damage to organizational infrastructure.