PieFedMalicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack
submitted by
abobla@lemm.ee
edited
abobla@lemm.ee
edited
thehackernews.com/2025/05/malicious-go-modules-…
Packages:
* github.com/truthfulpharm/prototransform
* github.com/blankloggia/go-mcp
* github.com/steelpoor/tlsproxy
Aaah finally, malware for Linux, truly the year of the Linux Desktop!
We made it! I never thought I'd live to see this day!
Notice me Hacker Senpai!
This is why we can't have nice things
This is absolutely not just specific to Go.
The problem isn't specific to anything. It's also not specific to malware. Vulnerabilities are just as dangerous, if not more so.
Cargo also has a
--gitoption but I suppose it's not default behaviorSure! My point is that hosting doesn't really matter, though. Malware and vulnerabilities are introduced at all points of supply chains.
I agree, I was just giving another example to raise awareness about that feature of rust.
Any intel on affected, high-profile software?
I found the original blog post more educational.
Looks like these may be typosquats, or at least "namespace obfuscation", imitating more popular packages. So hopefully not too widespread. I think it's easy to just search for a package name and copy/paste the first .git files, but it's important to look at forks/stars/issue numbers too. Maybe I'm just paranoid but I always creep on the owners of git repos a little before I include their stuff, but I can't say I do that for *their* includes and *those* includes etc. Like if this was included in hugo or something huge I would just be fucked.
The really fun version of that is when people take some of the hallucinated package names from an LLM and create them, but with malware.
Deleted by author
If anyone is curious, I checked the yay aur helper go dependencies here and it had none of the malicious packages mentioned on this post
Halloween documents pt 2