The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching. Credit: enzozo / Shutterstock Update February 6: Google has removed the package and provided the following statement: The module has been removed from both the Go module proxy and GitHub, and we’ve added it to the Go vulnerability database for anyone who thinks they may have been impacted. We are addressing this through fixes like capability analysis via Capslock and running comparisons with deps.dev. We want to thank Socket and the Go team contributors that detected the module and are addressing fixes. We’ll continue to work with the wider industry to raise awareness around common open source security issues like these and work being done through initiatives like SLSA and OpenSSF. A malicious typosquat package has been found in the Go language ecosystem. The package, which contains a backdoor to enable remote code execution, was discovered by researchers at the application security company Socket. A February 3 Socket blog post states that the package impersonates the widely used Bolt database module. The BoltDB package is widely adopted in the Go ecosystem, with 8,367 packages dependent on it, according to the blog. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malware and hide it from manual review. Developers who manually audited github.com/boltdb-go/bolt on GitHub did not find traces of malicious code. But downloading the package via the Go Module Proxy retrieved an original backdoored version. This deception went undetected for more than three years, allowing the malicious package to persist in the public repository. Socket has petitioned to have the package removed from the module mirror and reported the threat actor’s GitHub repository and account, which were used to distribute the malicious boltdb-go package. This attack is among the first documented instances of a bad actor exploiting the Go Module Mirror’s indefinite caching of modules, according to Socket. To mitigate software supply-chain threats, Socket advised that developers should verify package integrity before installation. They also should analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level. Google, where Go was designed, could not be immediately reached for comment about the issue on February 5. Application SecurityGolangProgramming LanguagesSoftware Development