Dangerous Linux wiper malware hidden within Go modules on GitHub
Three modules found hosting very destructive malware

- Three Golang modules on GitHub were found containing dangerous malware
- The malware was designed to wipe the entire disk of a Linux server
- It was removed from the platform
Dangerous Linux malware, capable of bricking servers, has been found in Golang modules on GitHub, experts are saying.
Recently, cybersecurity researchers from Socket found three Go modules on GitHub: github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy.
The three are mimicking legitimate and popular projects: Prototransform (helps convert Protobuf data between different formats), Model Context Protocol (provides encryption and hashing functionalities to AI assistants), and TLS Proxy (a proxy tool providing encryption for TCP and HTTP servers).
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)
Destroying entire disks
All three do the same thing - as soon as they’re activated, they check to see if they’re running in a Linux environment, and then overwrite every byte of data with zeros.
This essentially bricks the system, as all of the data on it is irreversibly lost. Socket says the disk-wiping code was “highly obfuscated” and triggered as soon as the malware is activated, practically leaving no time to react.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable,” Socket explained.
BleepingComputer says the Go ecosystem’s decentralized organization “lacks proper checks”, allowing packages from different developers to have the same, or similar names. Threat actors are abusing this model to run typosquatting attacks, tricking developers into downloading the wrong solutions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
As soon as Socket discovered the malware, it notified GitHub, which removed it from the platform. We don’t know for how long the modules were hosted, or how many people may have fallen victim to the attack.
Unfortunately, there is no easy way to defend against these types of attacks. The best course of action is to be careful when downloading code from open source repositories, to thoroughly analyze the developers and their status in the community, the reviews, and download counts.
Via BleepingComputer
You might also like
- A new Linux backdoor is hitting US universities and governments
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.