Cybersecurity researchers have spotted three malicious Go modules containing obfuscated code capable of fetching destructive payloads designed to render Linux systems permanently unbootable.
The compromised packages are: github[.]com/truthfulpharm/prototransform; github[.]com/blankloggia/go-mcp; and github[.]com/steelpoor/tlsproxy. They were found to contain code that checks for Linux environments before using wget to download a secondary payload from a remote server.
Once executed, the payload irreversibly overwrites the system’s primary disk (/dev/sda) with zeroes, effectively bricking the machine.
“/dev/sda (the primary disk) typically represents the primary storage device of a Linux system. This is usually where the operating system, user files, databases, configurations, and critical system data reside,” the report notes. “Writing zeros onto this disk doesn't just delete files—it systematically overwrites every byte of data, making recovery virtually impossible. By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable.”
Developers are advised to adopt stricter dependency management practices, including verifying publisher credentials, auditing package updates, and implementing strong access controls to minimize exposure to such threats.
