Dangerous Linux wiper malware hidden within Go modules on GitHub

News
By published

Three modules found hosting very destructive malware

Close up of the Linux penguin.
(Image credit: Linux)
  • Three Golang modules on GitHub were found containing dangerous malware
  • The malware was designed to wipe the entire disk of a Linux server
  • It was removed from the platform

Dangerous Linux malware, capable of bricking servers, has been found in Golang modules on GitHub, experts are saying.

Recently, cybersecurity researchers from Socket found three Go modules on GitHub: github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy.

The three are mimicking legitimate and popular projects: Prototransform (helps convert Protobuf data between different formats), Model Context Protocol (provides encryption and hashing functionalities to AI assistants), and TLS Proxy (a proxy tool providing encryption for TCP and HTTP servers).

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Destroying entire disks

All three do the same thing - as soon as they’re activated, they check to see if they’re running in a Linux environment, and then overwrite every byte of data with zeros.

This essentially bricks the system, as all of the data on it is irreversibly lost. Socket says the disk-wiping code was “highly obfuscated” and triggered as soon as the malware is activated, practically leaving no time to react.

“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable,” Socket explained.

BleepingComputer says the Go ecosystem’s decentralized organization “lacks proper checks”, allowing packages from different developers to have the same, or similar names. Threat actors are abusing this model to run typosquatting attacks, tricking developers into downloading the wrong solutions.

As soon as Socket discovered the malware, it notified GitHub, which removed it from the platform. We don’t know for how long the modules were hosted, or how many people may have fallen victim to the attack.

Unfortunately, there is no easy way to defend against these types of attacks. The best course of action is to be careful when downloading code from open source repositories, to thoroughly analyze the developers and their status in the community, the reviews, and download counts.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.