wget to Wipeout: Malicious Go Modules Fetch Destructive Payload
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss. The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit. No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly. Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries. Introduction: The Silent Threat# In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques: github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.