Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.

The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.

No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.
Introduction: The Silent Threat#
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:

github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.

Analysis of payloads suggest affiliates may be using a shared codebase or common builder to deploy attacks under different RaaS brand names.

Ivanti Connect Secure (ICS) devices are under attack! Two critical vulnerabilities are being exploited to deploy the notorious Mirai botnet.

Notorious botnet and infostealer XLoader makes a return to macOS with a new dropper and malware payload.

The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload.