04/30/2025-05/07/2025 Malicious Go Modules, SonicWall Flaws, Critical Langflow RCE Flaw And More

1. Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain 

Cybersecurity researchers have uncovered three malicious Go modules—prototransform, go-mcp, and tlsproxy—containing obfuscated code that downloads destructive payloads designed to wipe Linux systems. Once executed, the payload uses wget to fetch a shell script that irreversibly overwrites the primary disk (/dev/sda), rendering the machine unbootable.

This attack permanently cripples systems and exemplifies the severe risk of supply-chain compromises. Additional threats include malicious npm and PyPI packages targeting cryptocurrency wallets and developer environments. Packages like crypto-encrypt-ts, herewalletbot, and others steal sensitive data, such as seed phrases and private keys.

A separate set of PyPI packages, including coffin-codes-net and cfc-bsb, used Gmail SMTP and WebSockets to exfiltrate data and enable remote command execution.
Experts urge developers to vet package publishers, monitor unusual outbound traffic, and avoid trusting packages solely based on their longevity.

2. CISA Flags Two SonicWall Flaws As Actively Exploited

CISA has added two actively exploited SonicWall vulnerabilities—CVE-2023-44221 and CVE-2024-38475—to its Known Exploited Vulnerabilities catalog, following the release of proof-of-concept exploit code. The vulnerabilities in question are listed below: – CVE-2023-44221 (CVSS score: 7.2) – Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a ‘nobody’ user, potentially leading to OS Command Injection Vulnerability

• CVE-2024-38475 (CVSS score: 9.8) – Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.

The flaws affect SonicWall SMA remote access devices, enabling remote command injection and path mapping, with one providing admin-level access via an Apache HTTP Server bug. Patches have been available since late 2023 and 2024; systems running version 10.2.1.14-75sv or later are secure. CISA has ordered federal agencies to patch by May 22, 2025. Experts urge immediate patching of all vulnerable SMA 100 series devices to prevent exploitation.

3. Critical Langflow RCE Flaw Exploited to Hack AI App Servers

CISA has warned of active exploitation of a critical remote code execution (RCE) flaw in Langflow, tracked as CVE-2025-3248. The vulnerability allows unauthenticated attackers to execute code via the /api/v1/validate/code endpoint on exposed servers. Langflow, a popular open-source tool for building AI workflows with LangChain, fails to properly sanitize user-submitted code in affected versions.

Version 1.3.0, released April 1, 2025, fixes the issue by adding authentication to the vulnerable endpoint. Users are urged to upgrade immediately, preferably to the latest version 1.4.0. Horizon3 researchers, who published a proof-of-concept, found over 500 exposed instances online and warn of poor security design in Langflow.

CISA has mandated federal agencies to update or mitigate the flaw by May 26. Those unable to upgrade should restrict network access using firewalls or VPNs. No ransomware activity has been confirmed, but exploitation is ongoing, and immediate action is advised.

4. Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach

Commvault has disclosed a breach of its Microsoft Azure environment by a suspected nation-state actor exploiting CVE-2025-3928, a zero-day vulnerability. The company, alerted by Microsoft on February 20, 2025, emphasized there is no evidence of unauthorized access to customer backup data or disruption to its operations.

The attack affected a small number of mutual customers with Microsoft. Commvault responded by rotating credentials and enhancing security measures. CISA has since added CVE-2025-3928 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch Commvault Web Server by May 19, 2025.

To mitigate risk, customers are urged to enforce Conditional Access policies on Microsoft 365, Dynamics 365, and Azure AD apps, rotate secrets every 90 days, and monitor sign-in activity. Commvault also advises blocking and monitoring the following IPs linked to the attack: 108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20.