Poisoned Code: Stealthy Malicious Go Module Backdoor Discovered in Long-Running Typosquat

Open-source software repositories remain a top target for modern cybercriminals. Recently, Socket’s Threat Research Team uncovered a clever supply chain attack. Specifically, threat actors planted a malicious Go module backdoor inside a single-character typosquat of a widely used library. The compromised package targeted github.com/shopspring/decimal, an arbitrary-precision arithmetic library. Financial, billing, and cryptocurrency systems rely heavily on this package. Consequently, the attackers created a fraudulent clone named github.com/shopsprint/decimal to trap developers.

The Sophisticated Trust-Then-Poison Tactic

Interestingly, the rogue package remained completely harmless for nearly six years. The developers published seven non-malicious versions to match upstream updates perfectly. However, the threat actor weaponized the library on August 19, 2023, with version v1.3.3. This delayed attack strategy allowed the module to bypass traditional security detection mechanisms easily.

According to the official report from Socket:

“The combined effect is roughly six years of benign typosquat presence followed by approximately thirty-three months of weaponized presence in the open Go module ecosystem before disclosure.”

Inside the Stealthy DNS Backdoor

The execution triggers instantly whenever a developer imports the package into their project dependency graph. Furthermore, the malicious behavior runs entirely in a separate background goroutine. A malicious init() function launches an infinite loop that polls every five minutes. Specifically, the backdoor performs a DNS TXT record lookup for a hardcoded subdomain.

The report describes the command execution mechanism clearly:

“For each TXT record returned, the content string is passed directly to exec.Command() and executed via CombinedOutput(), enabling arbitrary remote code execution on any system that imports this package.”

Because DNS traffic easily evades standard egress controls, this method creates a highly stealthy communication layer. For example, firewalls that block outbound HTTP connections will frequently overlook regular outbound DNS lookups. Therefore, the attacker can execute arbitrary code on production servers without raising alarms.

Evaluating the Broad Blast Radius

Impact on Infrastructure

The vulnerability poses a severe threat to internal enterprise security pipelines. Since the payload runs as the active process user, the blast radius matches the system permissions directly. For instance, a developer terminal tool will execute commands with the developer’s local credentials. Similarly, a compromised CI/CD job will expose sensitive repository tokens and corporate deployment keys.

Permanent Proxy Threats

Although the attacker deleted the original GitHub repository, the threat persisted online for months. This occurred because the official Go Module Proxy automatically caches module versions indefinitely. Consequently, standard Go developer tools continued serving the malicious module version upon request.

Recommended Remediation Steps

Fortunately, the Go security team responded quickly to the disclosure. They have officially withdrawn the module from the centralized proxy server. Any attempt to fetch the compromised package now returns a strict security error.

Ultimately, CISOs and junior system administrators must proactively defend their application ecosystems against these hidden threats. We recommend taking the following actions immediately:

• Check your historical go.mod dependency files for references to shopsprint.
• Replace any compromised imports with the legitimate shopspring library.
• Audit your network logs for unexpected outbound traffic to the dynamic DNS domain.