A stealthy supply-chain attack has been identified targeting developers using Go modules. This attack utilizes obfuscated code to deliver a destructive disk-wiper payload, exploiting the Go ecosystem’s openness. Immediate action is advised to safeguard against irrecoverable data loss.
Affected: Developers, Linux systems, Software supply chains
Affected: Developers, Linux systems, Software supply chains
Keypoints :
- A single line of obfuscated Go code turned into a catastrophic disk-wiper payload.
- The attack exploits the decentralized Go ecosystem and minimal namespace validation.
- Developers are targeted through typosquatting of popular Go modules.
- Malicious modules were flagged by Socket’s scanners for executing suspicious behaviors.
- The payload specifically targets Linux operating systems.
- Execution leads to irreversible data loss by overwriting system disks.
- Proactive security measures are necessary to protect code dependencies.
MITRE Techniques :
- T1195 — Supply Chain Compromise: Exploiting trust placed in Go modules from public repositories.
- T1485 — Data Destruction: The execution of the disk-wiping payload causes irrecoverable data loss.
- T1027 — Obfuscated Files or Information: Use of obfuscated code to hide destructive intent.
- T1059.004 — Command and Scripting Interpreter (Unix Shell): Invokes shell commands for payload execution.
- T1036 — Masquerading: Attackers utilize similar module names to mislead developers.
Indicator of Compromise :
- Malicious Module: github[.]com/truthfulpharm/prototransform
- Malicious Module: github[.]com/blankloggia/go-mcp
- Malicious Module: github[.]com/steelpoor/tlsproxy
- Malicious URL: https://vanartest[.]website/storage/de373d0df/a31546bf
- Malicious URL: http://147.45.44[.]41/storage/de373d0df/ccd7b46d
Full Story: https://socket.dev/blog/wget-to-wipeout-malicious-go-modules-fetch-destructive-payload
Views: 26