A malicious package has been discovered in the Go ecosystem, imitating the BoltDB package. This package contains a backdoor, allowing remote code execution. The vulnerability exploits the Go Module Mirror’s caching mechanism, enabling the malware to persist undetected for an extended period. Developers who manually audited the package on GitHub did not find malicious code. The package’s strategic alteration of the git tag on GitHub further concealed the malware from manual review.
A confusion between two similar NPM commands, ‘npm add user’ and ‘npm adduser,’ has led to a significant number of developers inadvertently installing a benign ‘user’ package. This typo, exploited by the similarities in commands, highlights a potential supply chain risk. The package, currently benign, could be updated with malicious code, exposing developers who have made this common error.