Researchers have uncovered a malicious typosquatting package in the Go ecosystem that impersonates the trusted BoltDB database module. This backdoored package enables remote command execution for threat actors, thereby compromising systems. The incident underscores the vulnerability of the Go Module Proxy’s indefinite caching mechanism. Affected: Go ecosystem, developers, organizations using BoltDB
Keypoints :
- A malicious package named github.com/boltdb-go/bolt was identified, masquerading as the legitimate BoltDB package.
- The backdoored package allows remote code execution via a command and control (C2) server.
- The malicious version was cached indefinitely by the Go Module Mirror, misleading developers into downloading it.
- The threat actor modified GitHub tags to hide malware traces, preventing detection via manual audits.
- This attack highlights the risks associated with immutable module caching in the Go ecosystem.
- Socket AI Scanner identified the malicious package format and the routine for maintaining backdoor persistence.
- Another typosquatted package, github.com/bolt-db/bolt, impersonating BoltDB, was noted as potentially problematic but does not contain malicious code.
- Security measures are recommended for developers to verify package integrity and utilize tools for deeper analysis of dependencies.
MITRE Techniques :
- T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
- T1608.001 — Stage Capabilities: Upload Malware
- T1204.002 — User Execution: Malicious File
- T1036.005 — Masquerading: Match Legitimate Name or Location
- T1027 — Obfuscated Files or Information
- T1571 — Non-Standard Port
Indicator of Compromise :
- [Malicious Package] github.com/boltdb-go/bolt
- [Threat Actor GitHub Alias] boltdb-go
- [C2 Server] 49.12.198[.]231:20022
- [Domain] example[.]com
- [Obfuscated IP Address] 49.12.198[.]231 (derived through _r() function)
Full Story: https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence