Malicious Go Package Exploits Caching for Stealthy Persistence

Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s caching mechanism for persistence. The malicious package, github.com/boltdb-go/bolt, impersonates the widely used BoltDB database module, github.com/boltdb/bolt.

The malicious package contains a backdoor that enables remote code execution, allowing a threat actor to control infected systems. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malware, hiding it from manual code review.

This attack is among the first documented instances of a malicious actor exploiting the Go Module Mirror’s indefinite caching of modules. “While no prior cases have been reported publicly, this incident highlights a critical need to raise awareness of similar persistence tactics in the future,” the Socket researchers warn.

The threat actor, using the GitHub alias “boltdb-go”, initially published a malicious version v1.3.1 to GitHub, which was then cached indefinitely by the Go Module Mirror service. Once the package was cached, they rewrote the GitHub tag to point to a clean, legitimate version, ensuring that a manual audit of the GitHub repository would not reveal any malicious content. However, due to Go’s caching mechanism, developers installing the package using the go CLI continued to download the cached malicious version from the Go Module Mirror, rather than the updated, benign version.

The malicious package remains available on the Go Module Proxy as of the publication of the Socket report. Socket researchers have petitioned its removal from the module mirror and have also reported the threat actor’s GitHub repository and account.

Developers are advised to be vigilant when installing Go packages and to carefully check the package names to avoid typosquatting attacks.

Related Posts:

• Zloader’s Comeback: Navigating the Enhanced Trojan Threat