Go Package Backdoor Exploits Module Cache to Create Permanent Backdoors

Go Package Backdoor Exploits Module Cache to Create Permanent Backdoors

Go Package Repository Hit by Supply Chain Attack

A sophisticated software supply chain attack targeting the Go ecosystem has been discovered by cybersecurity researchers. The attack involves a malicious package that provides unauthorized remote access to compromised systems.

The malicious package, identified as github.com/boltdb-go/bolt, impersonates the legitimate BoltDB database module (github.com/boltdb/bolt). Published to GitHub in November 2021, the fraudulent version 1.3.1 was permanently cached by the Go Module Mirror service.

Security researcher Kirill Boychenko revealed that the backdoored package enables threat actors to execute arbitrary commands on infected systems. This incident represents one of the earliest known cases where attackers exploited Go Module Mirror’s indefinite caching feature.

The attackers employed a clever technique by modifying Git tags in the source repository to point to legitimate versions. This strategy made manual security audits appear safe while the cached malicious package continued to be distributed through the go CLI.

Boychenko emphasized that once cached, module versions remain accessible through the Go Module Proxy, regardless of subsequent source modifications. This design, while beneficial for legitimate uses, was exploited to maintain persistent distribution of malicious code.

Additionally, researchers at Cycode identified three malicious npm packages – serve-static-corell, openssl-node, and next-refresh-token – containing obfuscated code designed to collect system information and execute remote commands from a specific server (8.152.163[.]60).

Share This Article