FlagThis

A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

ImgSrc: devops.com

References:

• CISO2CISO.COM & CYBER SECURITY GROUP - Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of g - 17d
• lobste.rs - Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence - 17d
• The Hacker News - Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access - 17d
• @campuscodi.risky.biz - Catalin Cimpanu - Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the - 16d
• ciso2ciso.com - Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access - 16d
• fosstodon.org - Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence - 15d
• DevOps.com - Typosquat Supply Chain Attack Targets Go Developers - 15d
• securityonline.info - Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s - 15d
• Malware Archives ? Cybersecurity News - Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on . - 15d
• News | CSO Online - Malicious package found in the Go ecosystem - 15d
• ciso2ciso.com - Malicious package found in the Go ecosystem – Source: www.infoworld.com - 15d
• CISO2CISO.COM & CYBER SECURITY GROUP - Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite mod - 14d
• @heiseonlineenglish - Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malw - 14d
• www.heise.de - Typosquatting in the Go ecosystem: Fake BoltDB package discovered - 14d

Classification:

• HashTags: Go Malware SupplyChainAttack
• Company: Go
• Target: Go Developers
• Product: Go
• Feature: Typosquatting
• Type: Malware
• Severity: Major