A malicious package has been discovered in the Go ecosystem, imitating the BoltDB package. This package contains a backdoor, allowing remote code execution. The vulnerability exploits the Go Module Mirror’s caching mechanism, enabling the malware to persist undetected for an extended period. Developers who manually audited the package on GitHub did not find malicious code. The package’s strategic alteration of the git tag on GitHub further concealed the malware from manual review.