Massive Malware Threat Hidden in Open-Source Repositories: Linux Systems and Crypto Wallets at Risk

Listen to this Post

Featured Image
Cybersecurity professionals are sounding the alarm after uncovering a series of malicious software packages embedded in popular open-source code repositories, which threaten to destroy Linux systems and exfiltrate sensitive user data — particularly targeting cryptocurrency assets.

In a coordinated analysis by researchers from Socket, Sonatype, and Fortinet, several Go, npm, and PyPI packages were discovered to contain obfuscated code designed to initiate catastrophic or stealthy attacks. These packages passed under the radar for months, masquerading as legitimate developer tools, but their real intent was far more dangerous: overwriting hard drives, hijacking emails, and stealing private crypto keys.

The core threat centers around three malicious Go modules that check if they’re running on Linux, then silently fetch and execute a shell script designed to wipe the primary system disk (/dev/sda) using zero-fill commands. Once executed, the script bricks the machine permanently, making data recovery impossible. This destructive behavior highlights the growing sophistication and severity of modern software supply chain attacks.

Simultaneously, a slew of malicious npm packages have been found specifically engineered to extract mnemonic phrases and private keys from unsuspecting developers working on cryptocurrency projects. These packages, often disguised with names mimicking PayPal services or generic-sounding developer tools, are believed to have collectively endangered thousands of users.

On the Python side, a different flavor of attack has emerged. At least seven PyPI packages were engineered to leverage Gmail’s SMTP server and WebSocket connections to silently transmit compromised data to attackers while avoiding corporate firewall detections. Some of these had already amassed tens of thousands of downloads before removal. The threat actors even hardcoded Gmail credentials directly into the packages, showing their intent to keep the data exfiltration process simple, silent, and scalable.

Here’s a breakdown of what was found:

Go Modules That Irrevocably Destroy Linux Systems:

`github.com/truthfulpharm/prototransform`

`github.com/blankloggia/go-mcp`

`github.com/steelpoor/tlsproxy`

These modules contain heavily obfuscated code that, once executed on Linux, retrieves a payload that wipes the /dev/sda disk with zeroes — permanently killing the system.

Malicious npm Packages Targeting Crypto Wallets:

`crypto-encrypt-ts`

`react-native-scrollpageviewtest`

`bankingbundleserv`

`buttonfactoryserv-paypal`

`tommyboytesting`

`compliancereadserv-paypal`

`oauth2-paypal`

`paymentapiplatformservice-paypal`

`userbridge-paypal`

`userrelationship-paypal`

These are designed to steal wallet seed phrases, private keys, and other sensitive cryptocurrency data.

Malware-Laced PyPI Packages Using Gmail and WebSockets:

`cfc-bsb` (2,913 downloads)

`coffin2022` (6,571 downloads)

`coffin-codes-2022` (18,126 downloads)

`coffin-codes-net` (6,144 downloads)

`coffin-codes-net2` (6,238 downloads)

`coffin-codes-pro` (9,012 downloads)

`coffin-grave` (6,544 downloads)

These packages use hardcoded Gmail credentials to notify attackers of a successful breach and then establish a two-way WebSocket tunnel for live command execution or data transfer.

Developers are urged to conduct in-depth audits of any third-party dependencies, even ones that seem benign. Packages with long histories or popular names may still be compromised, especially if they’ve recently changed maintainers or codebases. Endpoint protection alone is insufficient — developers need to monitor for abnormal outbound connections and review all repository histories manually.

What Undercode Say:

From an offensive security standpoint, this discovery underlines a disturbing evolution in the landscape of software supply chain attacks. The Go modules are particularly alarming due to their destructive potential. Once executed, there’s no coming back: the primary Linux disk is wiped clean with zeroes, making the system not only unbootable but impossible to forensically recover. This shows a deep shift away from classic malware strategies that sought persistence, opting instead for irreversible damage.

The decision to hide such scripts within Go modules targeting developer environments may not be accidental. Developers often run code with elevated privileges, especially in testing environments, which makes them prime targets. By embedding such logic in seemingly innocuous modules, attackers ensure broad reach while remaining under the radar.

On the npm front, the tactic of mimicking PayPal-related services is clearly designed to exploit familiarity bias. Developers scanning quickly through dependency trees may glance at “oauth2-paypal” or “paymentapiplatformservice-paypal” and assume legitimacy. This deception becomes more potent when the naming structure mirrors real services. Once embedded in crypto-related applications, these malicious packages harvest wallet credentials and seed phrases — often the only line of defense against theft.

As for PyPI, the attackers’ use of Gmail’s SMTP servers and WebSocket tunnels is exceptionally clever. Corporate environments rarely blacklist Gmail traffic, and WebSocket connections are notoriously difficult to inspect. This stealthy approach allows for real-time command execution and data exfiltration with minimal detection risk. It also implies the attackers expect long dwell times inside compromised environments — a chilling prospect.

Collectively, these campaigns illustrate a broader trend: attackers are refining their supply chain arsenals, choosing subtlety, mimicry, and precision targeting over brute force. Trust, once broken in open-source software, is hard to restore — and it’s now being weaponized against the very developers who rely on it.

This is not just about compromised packages; it’s about a fractured trust model. Developers, DevOps teams, and security engineers must rethink their approach to package vetting. Automation, signature validation, and sandboxing are no longer optional — they are essential components of modern development hygiene.

Fact Checker Results:

  1. All named malicious packages were verified as reported by Socket, Fortinet, and Sonatype.
  2. Downloads and infection vectors were confirmed through metadata from PyPI and npm registries.
  3. The disk wipe capability on /dev/sda aligns with known destructive shell behavior previously analyzed in malware like “Shredder.”

Prediction:

Expect to see more deeply embedded malware hidden within open-source ecosystems, particularly targeting developer and DevOps environments. Attackers will continue using deceptive naming schemes and abuse trusted services like Gmail or GitHub to bypass detection. Without systemic changes in how dependencies are vetted and verified, the next wave of attacks could be even more destructive — possibly combining data theft and system destruction in one hybrid payload.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram