A backdoor that impersonates a widely used database module in the popular Go programming language can give hackers control of infected systems, according to a senior threat intelligence analyst with developer-focused platform provider Socket.
The malicious package, which the threat actor first published in November 2021 and remains in the Go Module Proxy, typosquats the legitimate BoltDB database module that is used by a broad range of organizations, including e-commerce company Shopify and Heroku, a cloud platform-as-a-service (PaaS) organization, Socket’s Kirill Boychenko wrote in a blog post.
The attack illustrates how a bad actor can exploit features in the Go Module Mirror, in particular the indefinite caching of modules, Boychenko wrote. In this case, once the threat actor published the initial malicious version – v1.3.1 – to GitHub, it was indefinitely cached by the Go Module Mirror service.
“While no prior cases have been reported publicly, this incident highlights a critical need to raise awareness of similar persistence tactics in the future,” he wrote. “With immutable modules offering both security benefits and potential abuse vectors, developers and security teams should monitor for attacks that leverage cached module versions to evade detection.”
Targeting the Supply Chain
The backdoor is another indication of the continued focus by cybercriminals on exploiting the software supply chain to launch their campaigns – including the planting of malicious packages in code repositories like GitHub, npm and Python Package Index (PyPI) – and highlights the ongoing popularity of the Go language.
Developer Nation, a developer community, said in a report in September 2024 that 11.5% of backend developers surveyed said they use Go, a language created by Google. The adoption rate has remained stable in recent years – JavaScript, Java (39%) and Python are still more widely used – but the size of the Go community has expanded along with that of the backend developer population.
Within the Go ecosystem, the BoltDB package is broadly used, with 8,367 packages depending on it, Socket’s Boychenko wrote, adding that “its extensive use across thousands of projects positions BoltDB among the most prominent and trusted modules in the Go community.”
He added that Socket has petitioned to have the malicious package removed from the module Mirror and reported the associated GitHub repository and account, which were used to distribute the package.
Typical Typosquat
The malicious package is named github.com/boltdb-go/bolt, which closely resembles the legitimate BoldDB domain, github.com/boltdb/bolt, and – as with all typosquatting campaigns – is meant to trick developers into visiting the hackers’ site.
The backdoor “enables remote code execution, allowing a threat actor to control infected systems via a command and control (C2) server,” Boychenko wrote. “After the malware was cached by the Go Module Mirror, which the Go CLI toolchain downloads from, the git tag was strategically altered on GitHub to remove traces of malware, hiding it from manual code review.”
Immutability Challenges
A key to the attack was how the Go Module Proxy service works, he wrote. The service prioritizes what is cached by performance and availability, so once cached, the module version continues to be available via the Go Module Proxy, even if the original source is modified afterward. It’s a design that benefits legitimate uses cases, which was in this case exploited by the hacker to ensure that it continue to distribute malicious code even those the repository itself was changed.
Such immutability is used to ensure that any user that uses a tagged version gets the same bits, which prevents silent changes or overwrites after they’re published. It also has security benefits, including making sure that a compromised library can’t replace code that’s already been downloaded, he wrote. However, once a malicious version is published, it remains malicious in the cache.
Boychenko noted other reports that looked at the security risks from the caching in the Go Module Proxy, including in GitHub and a reverse-engineer community site.
Evading Detection
The Go typosquat package includes a remote access backdoor embedded among what in all other aspects is a legitimate database function. The malicious code connects to the C2 server at what Boychenko called an obfuscated IP address. The malware takes commands from the server and essentially gives the bad actor full control of the system.
It works to evade detection by distributed functions across multiple files within the malicious package, with one making the backdoor connection while another brings in the components that make up the obfuscated IP address. The malware starts up when a developer calls and includes a capability to automatically restart if it crashes, which gives it continuous access to the infected system.
“The threat actor’s use of a clean, unflagged IP hosted on Hetzner Online GmbH (AS24940) indicates a high level of operational security, suggesting that this infrastructure was procured specifically for this campaign to avoid premature detection and blocklisting,” he wrote. “Unlike indiscriminate malware, this backdoor is designed to blend into trusted development environments, increasing the likelihood of widespread compromise before discovery.”
Check the Package
Such attacks put an onus on programmers.
“To mitigate supply chain threats, developers should verify package integrity before installation, analyze dependencies for anomalies and use security tools that inspect installed code at a deeper level,” Boychenko wrote. “Ensuring that Go’s module ecosystem remains resilient against such attacks requires ongoing vigilance, improved security mechanisms and better awareness of how threat actors exploit software distribution channels.”
