News: 1738690091

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Poisoned Go programming language package lay undetected for 3 years

(2025/02/04)


A security researcher says a backdoor masquerading as a legitimate Go programming language package used by thousands of organizations was left undetected for years.

Kirill Boychenko, threat intelligence analyst at Socket Security, blogged today about what seems to be a supply chain attack on the BoltDB database module, which is depended on by more than 8,000 other packages and major organizations such as Shopify and Heroku.

BoltDB, the legitimate URL of which is [1]github.com/boltdb/bolt , was created nine years ago but was declared complete by the author a year later and hasn't been updated since.

[2]

The malicious copycat uses the popular [3]typosquatting technique to try to trick users into downloading it. Should a developer happen to confuse the legitimate package with the copycat (github.com/boltdb-go/bolt – subtle difference), they would end up having a backdoor that allows remote code execution (RCE) in their project.

[4]

[5]

The malicious version is still searchable on the Go Module Proxy and has been left undetected for three years, [6]says Boychenko, who sent a request to [7]Go for its removal.

Fortunately, it also appears to have gone undetected by many project maintainers, with only two imports of the backdoored version recorded – both by a single cryptocurrency project with just seven followers.

[8]

There's no way of knowing how many times the package has been downloaded, though, since Go doesn't track the metric. Looking at the dodgy version's GitHub page, however, it shows zero stars or forks, and no pull requests made in three years, suggesting it has flown largely under the radar.

Regardless, Boychenko says the way in which the creator exploited Go's package system highlights a flaw that requires greater understanding among developers.

The original boltdb-go package was published to [9]GitHub . When it is first requested, the Go Module Mirror service caches the package and makes it available indefinitely.

[10]

The malicious project author then modified the project's Git tags to point to the legitimate version (boltdb) so that a manual review of boltdb-go wouldn't reveal any signs of foul play, all while the malicious version was still being served to unsuspecting developers.

"This attack is among the first documented instances of a malicious actor exploiting the Go Module Mirror's indefinite caching of modules," says Boychenko in his write-up. "While no prior cases have been reported publicly, this incident highlights a critical need to raise awareness of similar persistence tactics in the future.

[11]North Koreans clone open source projects to plant backdoors, steal credentials

[12]Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet

[13]Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed

[14]Encryption backdoor debate 'done and dusted,' former White House tech advisor says

"With immutable modules offering both security benefits and potential abuse vectors, developers and security teams should monitor for attacks that leverage cached module versions to evade detection."

Go's immutable modules mean baddies can't go into a popular package and modify its code after being downloaded, which is a boon to the ecosystem's security and underpins many of the features the Go team [15]cites that help mitigate [16]software supply chain attacks .

However, Go's immutability means once a malicious version such as boltdb-go is cached, it's there forever. It continues to be served to Go devs in its harmful state.

"To mitigate supply chain threats, developers should verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level," Boychenko adds.

"Ensuring that Go's module ecosystem remains resilient against such attacks requires ongoing vigilance, improved security mechanisms, and better awareness of how threat actors exploit software distribution channels."

Socket reported boltdb-go and a similar bolt-db, which wasn't deemed malicious, to Go's devs for permanent removal so neither can be misused in the future.

The Register asked the Go team to comment, and it didn't immediately respond. ®

Get our [17]Tech Resources



[1] https://github.com/boltdb/bolt

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z6KcDVT_NBH7OIo9fHvkFAAAAcU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6KcDVT_NBH7OIo9fHvkFAAAAcU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z6KcDVT_NBH7OIo9fHvkFAAAAcU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence

[7] https://www.theregister.com/2022/09/06/go_govulncheck_vulnerability_tool/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6KcDVT_NBH7OIo9fHvkFAAAAcU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/11/05/python_dethrones_javascript_github/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z6KcDVT_NBH7OIo9fHvkFAAAAcU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[11] https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/

[12] https://www.theregister.com/2025/01/25/mysterious_backdoor_juniper_routers/

[13] https://www.theregister.com/2025/01/08/backdoored_backdoors/

[14] https://www.theregister.com/2025/01/04/encryption_backdoor_debate/

[15] https://go.dev/blog/supply-chain

[16] https://www.theregister.com/2024/05/03/it_might_take_a_decade/

[17] https://whitepapers.theregister.com/



cyberdemon

And no doubt now, with the news coverage mentioning the typosquatted URL, LLMs will be parroting it as the real URL

I am amazed that Go have not removed it yet, but then again, there are not many humans left at Google

Go doesn't track the metric

Gene Cash

Wait. You're a download site, and you don't track the number of downloads?

Clowns.

Re: Go doesn't track the metric

that one in the corner

Ok, I'll bite (and let you point out my gross ignorance of serving up files):

It may appear as though counting the number of downloads might[1] be of interest in judging the impact of this problem[2], but aside from that possibility, you seem to be very certain that they should be tracking all the individual downloads even when/if everything is all hunky-dory.

Can you please explain why? What would they - Google or all the devs using Go - get from doing that?

They aren't (AFAIK) using this mirror to, say, build a list of most popular downloads this week, they very explicitly aren't looking to only mirror the 1000 favourite packages (and saving space by deleting the rest). It isn't something humans are supposed to be excited about reading and starring their favourites.

For what purpose - and at what level of detail - would they need to be tracking to avoid being "clowns" when it comes to running an immutable cache server?

[1] it is a cache - does 100 downloads indicate 100 separate projects hitting it, 100 people/build machines all on the same project or 1 person who isn't bothering to keep a local copy? What is the cost of trying to track and separate those cases - and what would be the use of that data to warrant the cost of gathering and keeping it?

[2] back to cost and likelihood of that spend actually helping (other than making for an exciting headline).

TeeCee

...a single cryptocurrency project with just seven followers.

Looks like someone's get rich quick scheme failed to take off.

cyberdemon

You mean the one to steal crypto keys from er, at least 7 people?

Although yeah, not really taking off, which is fortunate.

What I mean is, said crypto scheme ought to be investigated as a possible source of the fake package. If they are the sole project on GitHub using it, then it is more than a little suspicious that they might not be innocent victims.

stiine

Or really, really well.

If you love someone, set them free.
If they don't come back, then call them up when you're drunk.