Silent Supply Chain Attack: Malicious Go Typosquat Siphoned Data to Pastebin for Four Years Undetected
Ddos 
Image: Socket
The Socket Threat Research Team has uncovered a malicious Go package that operated undetected for over four years. The package, a typosquat of a widely trusted library, contained a sophisticated backdoor designed to quietly siphon sensitive data to a public pastebin service.
The malicious packages, identified as github.com/bpoorman/uuid and github.com/bpoorman/uid, mimic the popular pborman/uuid and google/uuid libraries, which serve as the de facto standard for generating unique identifiers in the Go ecosystem.
First published in May 2021, the malicious library relied on a subtle typosquatting technique. The threat actor, operating under the alias “bpoorman,” created a package that visually and functionally mirrored the legitimate pborman/uuid library.
“The threat actor behind the GitHub alias bpoorman imitates the long-standing github.com/google/uuid and github.com/pborman/uuid packages,” the report states, “preserving their legitimate UUID behavior while adding a backdoor through a hidden Valid function.”
To a developer glancing at their dependencies, the difference between pborman and bpoorman is easily missed, allowing the rogue package to slip into projects unnoticed.
The backdoor was engineered for stealth. It introduced a helper function named Valid, which masqueraded as a standard validation check. However, its true purpose was exfiltration.
According to the analysis, this function “silently encrypts and uploads caller-supplied data using a hardcoded dpaste API token.”
When a developer passed a value to Valid—perhaps a user ID, session token, or email address—the function would concatenate the data, encrypt it using AES-CFB, and upload the payload to dpaste.com. The report notes that “errors are silently suppressed,” ensuring that the exfiltration process never crashed the host application or alerted the victim.
The choice of exfiltration channel was particularly clever. By using dpaste, a legitimate pastebin service, the attackers blended their malicious traffic with normal developer activity.
“Using a public paste site as a collection point offers several advantages: it blends malicious traffic with normal developer usage, removes the need to register and maintain threat actor-controlled infrastructure, and shifts storage to a third-party service that enterprise defenders may not monitor closely.”
Despite being live for years, the package remained accessible on public mirrors until recently. “At the time of writing, the malicious github[.]com/bpoorman/uuid package is still listed on the Go package discovery site pkg.go.dev,” the report warns.
Developers are urged to audit their go.mod files immediately for any references to bpoorman and replace them with the legitimate google/uuid or pborman/uuid packages.
Donate