- Three Golang modules on GitHub were found containing dangerous malware
- The malware was designed to wipe the entire disk of a Linux server
- It was removed from the platform
Dangerous Linux malware, capable of bricking servers, has been found in Golang modules on GitHub, experts are saying.
Recently, cybersecurity researchers from Socket found three Go modules on GitHub: github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy.
The three are mimicking legitimate and popular projects: Prototransform (helps convert Protobuf data between different formats), Model Context Protocol (provides encryption and hashing functionalities to AI assistants), and TLS Proxy (a proxy tool providing encryption for TCP and HTTP servers).
Destroying entire disks
All three do the same thing – as soon as they’re activated, they check to see if they’re running in a Linux environment, and then overwrite every byte of data with zeros.
This essentially bricks the system, as all of the data on it is irreversibly lost. Socket says the disk-wiping code was “highly obfuscated” and triggered as soon as the malware is activated, practically leaving no time to react.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable,” Socket explained.
BleepingComputer says the Go ecosystem’s decentralized organization “lacks proper checks”, allowing packages from different developers to have the same, or similar names. Threat actors are abusing this model to run typosquatting attacks, tricking developers into downloading the wrong solutions.
As soon as Socket discovered the malware, it notified GitHub, which removed it from the platform. We don’t know for how long the modules were hosted, or how many people may have fallen victim to the attack.
Unfortunately, there is no easy way to defend against these types of attacks. The best course of action is to be careful when downloading code from open source repositories, to thoroughly analyze the developers and their status in the community, the reviews, and download counts.
Via BleepingComputer
