wget to Wipeout: Malicious Go Modules Fetch Destructive Payload socket.dev/blog/wget…

Socket’s Threat Research Team uncovered a stealthy and highly destructive supply-chain attack targeting developers using Go modules. Attackers leveraged obfuscation to deliver a catastrophic disk-wiper payload. The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.

In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques. Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.