Discovering that a trusted tool can become your worst enemy is one of the most unsettling realities in software development. This was recently demonstrated when a malicious campaign targeted Linux servers through Golang modules published on GitHub. What appeared to be legitimate components concealed wiper malware, designed to erase critical data and severely compromise the affected systems.
Detected last month, this threat utilized three Go modules containing highly obfuscated code to retrieve and execute remote payloads. This type of attack not only puts individual developers at risk but also exposes deep vulnerabilities in the software supply chain.
Total Disk Destruction: How the Attack Works
This attack is no ordinary threat. It’s clearly designed for servers running Linux and environments where developers work. The primary malicious payload is a Bash script called done.sh, which executes a simple but devastating dd command to wipe files.
Before doing its dirty work, the malware first ensures it’s actually running on Linux (by checking that runtime.GOOS == "linux"), and if so, proceeds.
According to an analysis by the security company Socket, the command overwrites every byte of the disk with zeros. The result? Complete and irreversible data loss and, essentially, an unusable system. The attack directly targets the main storage volume, /dev/sda, where all critical data resides: system files, user data, databases, and configurations.
As Socket explains:
"By filling the entire disk with zeros, the script completely destroys the filesystem structure, the operating system, and all user data. The system cannot boot and becomes unrecoverable."
Researchers detected this campaign in April and found three Go modules uploaded to GitHub (which have since been removed):
-
github[.]com/truthfulpharm/prototransform
-
github[.]com/blankloggia/go-mcp
-
github[.]com/steelpoor/tlsproxy
All contained highly obfuscated code that, when executed, downloaded a wiping script using wget and then launched it with /bin/bash or /bin/sh. Worse yet, the malicious payloads executed immediately after being downloaded, leaving almost no time to detect the issue or attempt recovery.
These modules appeared legitimate at first glance. One supposedly converted message data into various formats (Prototransform), another was a Go implementation of the Model Context Protocol (go-mcp), and the last offered a TLS proxy to encrypt TCP and HTTP servers (tlsproxy).
But it was all a facade. As Socket warns, even minimal contact with these modules can cause havoc, leading to total data loss.
The bigger issue behind this is the decentralized nature of the Go ecosystem. There are no strict controls preventing different developers from using similar or identical package names. Attackers exploit this weakness to create modules that appear trustworthy, hoping developers will include them in their projects without suspicion.
Advanced Obfuscation to Stay Under the Radar
To avoid raising suspicion, the attackers used fairly sophisticated obfuscation techniques. They manipulated string arrays and executed code dynamically while the program was running. What did this achieve? It made it extremely difficult for traditional antivirus software and code analysis tools to detect the malware. In other words, the malicious code could hide in plain sight without being caught.
How to Protect Yourself from This Type of Attack
What happened is a real wake-up call for any developer working with open-source tools and libraries. To avoid falling into similar traps, it’s essential to follow a few best practices:
-
Carefully review third-party dependencies before including them in your projects.
-
Use tools that analyze code for known vulnerabilities and obfuscated code.
-
Always pin specific versions of dependencies, choosing only those you know to be trustworthy.
-
Perform regular code audits and conduct penetration testing.
-
Make frequent backups so you can recover your system if the worst happens.
This attack (which can literally wipe your entire disk) is a reminder that even the smallest and least-known packages can become a major threat. The attackers behind the prototransform, go-mcp, and tlsproxy modules weren’t targeting any particular company. They simply exploited the trust many developers place in the Go module ecosystem.
The lesson is clear: today, developing secure software involves much more than following basic practices. Code audits must be routine, automated dependency analysis is essential, and continuous monitoring of software behavior during execution should be part of your development cycle—especially if your project uses many open-source components.
