Golang Supply Chain Attack Targets Linux Servers with Disk-Wiping Malware
A recent supply-chain attack has been uncovered targeting Linux servers through malicious Golang modules published on GitHub. Security researchers identified three modules—prototransform, go-mcp, and tlsproxy—that contained highly obfuscated code designed to pull and execute a destructive payload. The payload, a Bash script named, done.sh checks that it's running in a Linux environment before launching a disk wipe using the dd command. It overwrites all data on the primary storage volume (/dev/sda) with zeros, effectively destroying the operating system, user files, and system configurations. Once executed, the system becomes unbootable and unrecoverable, resulting in full data loss. The modules appeared to impersonate legitimate developer tools, which likely helped them blend in and avoid immediate detection. The attack highlights a growing threat in the open-source software ecosystem, where trust is often assumed by default. The decentralized nature of Golang’s module system allows attackers to create packages with names nearly identical to real projects, increasing the risk of accidental integration by unsuspecting developers. Once a developer includes the tainted module, the malicious script executes almost without delay, giving defenders little to no time to respond. The intent behind this campaign appears purely destructive, with no signs of extortion or data theft. This warns development teams to rely on third-party code, particularly in environments with limited vetting or dependency auditing. Continuous monitoring, strict source validation, and real-time package scanning are becoming necessary safeguards against this threat.
Kubernetes at Risk: Misconfigured default Helm Charts Expose Cloud Environments
Microsoft has warned about the widespread use of default Helm charts and Kubernetes templates that may introduce serious security flaws into containerized environments. While popular for their simplicity and speed, these pre-made templates are often designed with convenience in mind rather than security. As a result, many organizations end up deploying workloads with default configurations that can expose services to the internet, lack proper access controls, or permit administrative actions without restriction. Helm, the Kubernetes package manager, relies on YAML manifests to define deployments, and many open-source projects distribute charts that prioritize quick setups over hardened environments. Users may unintentionally expose sensitive systems, APIs, or data sources to external threats without thorough review and modification. This risk is especially dangerous in production environments, where attackers can exploit these gaps for initial access or lateral movement. Several examples highlighted by Microsoft demonstrate the dangers of this oversight. Apache Pinot’s default Helm chart exposes core components like pinot-controller and pinot-broker using LoadBalancer services, lacking authentication. Meshery's deployment exposes its web interface externally, allowing unauthenticated users to register, access the platform, and execute arbitrary workloads. Similarly, Selenium Grid’s setup creates a NodePort service that opens a specific port across the entire cluster, relying solely on external firewalls for protection. These misconfigurations, while unintended, create a low barrier for attackers to exploit Kubernetes environments. To reduce risk, Microsoft recommends auditing all default templates, customizing Helm chart values before deployment, scanning publicly accessible interfaces, and monitoring containers for suspicious behavior. Default settings should never be assumed secure—especially when they are the foundation of internet-exposed infrastructure.
Android Devices at Risk: Critical RCE Vulnerability
Google’s May 2025 Android security update addresses 57 vulnerabilities, the most urgent being CVE-2025-27363—a high-severity remote code execution flaw actively exploited since March 2025. Initially disclosed by Facebook’s security team, the bug exists in the FreeType font rendering library and affects Android 13 and 14 devices that haven't been patched past the 2025-05-05 security level. Both Meta and Google have confirmed that this vulnerability is under active exploitation in the wild, but they have not disclosed details regarding the attackers or the nature of the attacks. The vulnerability stems from an out-of-bounds write handling malformed TrueType GX and variable fonts, enabling code execution without user interaction or elevated privileges. According to Kaspersky’s Global Research and Analysis Team (GReAT), the exploit has been observed in limited, targeted attacks against financial institutions in Southeast Asia. Threat actors are chaining this flaw with privilege escalation vulnerabilities to deliver rootkits capable of bypassing Android's SELinux enforcement. The payloads are designed to exfiltrate sensitive data from mobile banking applications while maintaining persistent device access. Google has pushed urgent patches to the Android Open-Source Project and notified OEMs for immediate deployment. Alongside CVE-2025-27363, the update includes critical fixes across the Android Framework, kernel, and hardware components. Twelve elevation-of-privilege issues were resolved in system modules like JobScheduler and Foreground Services, while hardware-level flaws in MediaTek modems, Qualcomm DSPs, and Arm Mali GPUs received coordinated vendor patches. Kernel updates now cover memory safety enhancements backported to Android 12 devices. Google’s Project Mainline has also patched key components—including the WiFi stack and permission controllers—through Play Services, requiring no OEM involvement. Enterprise admins are advised to audit sideloaded apps, enforce verified boot policies, and monitor for signs of persistent mobile access. For consumers, enabling auto-updates and disabling app installs from unknown sources remains critical. Although Google reports a 17% drop in critical vulnerabilities year-over-year due to increased Rust/Kotlin adoption, this incident underscores that even modern mobile platforms remain high-value targets for financially motivated threat actors.
