Cybersecurity experts have uncovered a stealthy supply chain attack involving three malicious Go modules designed to completely wipe Linux systems. These modules, masked as legitimate packages, conceal highly obfuscated code that downloads and executes a second-stage payload with devastating effects.
The compromised modules—github[.]com/truthfulpharm/prototransform, github[.]com/blankloggia/go-mcp, and github[.]com/steelpoor/tlsproxy—were found to specifically target Linux environments. Once executed, they reach out to a remote server via wget and pull in a shell script capable of wiping the system’s main disk (/dev/sda) by overwriting it with zeroes. This action permanently disables the system from booting and makes any data recovery virtually impossible.
Socket researcher Kush Pandya, who led the investigation, emphasized the severity of this attack. He noted that although the modules appear clean at first glance, they’re loaded with deceptive code meant to hijack trusted development environments. The malware’s approach ensures complete data destruction, leaving affected systems inoperable and untraceable.
This incident underscores a growing trend in modern software supply chain attacks, where attackers infiltrate developer ecosystems to spread harmful code under the guise of open-source packages.
But the threat doesn’t stop there.
Security researchers from Socket, Sonatype, and Fortinet have also flagged a wave of malicious npm packages targeting cryptocurrency users. These packages are engineered to steal sensitive wallet data, including mnemonic seed phrases and private keys. Some of the flagged npm packages include:
crypto-encrypt-tsreact-native-scrollpageviewtestbankingbundleservbuttonfactoryserv-paypaloauth2-paypaluserrelationship-paypal
In parallel, the Python Package Index (PyPI) has seen similar threats. Packages like web3x and herewalletbot were recently found to contain wallet-draining malware. Despite their malicious nature, they’ve collectively been downloaded over 6,800 times since their release in 2024.
Adding to the alarm, another batch of PyPI packages—most notably the “coffin” series—have been caught exfiltrating data via Gmail SMTP and WebSocket connections. The list includes:
cfc-bsbcoffin2022coffin-codes-2022coffin-codes-netcoffin-codes-net2coffin-codes-procoffin-grave
These packages contain hard-coded Gmail credentials that send breach confirmation emails to the attackers. They then create a WebSocket backdoor, allowing live remote access and command execution. Interestingly, cfc-bsb doesn’t use Gmail but does implement WebSocket functionality for remote control.
This tactic cleverly bypasses traditional email and proxy filters. Since Gmail’s domain is widely trusted by enterprise security tools, the exfiltration often flies under the radar.
Staying Safe from Supply Chain Threats
To guard against these evolving attacks, developers and DevSecOps teams must stay vigilant. Here are key precautions:
- Audit dependencies regularly and flag unknown or suspicious ones.
- Verify publisher reputations and check GitHub links for real activity.
- Use strict access controls to protect sensitive assets like API keys.
- Monitor outbound traffic, especially SMTP or WebSocket connections.
- Don’t trust longevity alone—even old packages can be compromised.
As Socket researcher Olivia Brown warned, “Attackers are getting smarter, and they’re using trusted services like Gmail to quietly walk out the front door with your secrets.”
