How Perpetual Module Caching Became an Attack Tool.
A malicious package has been discovered in the Go programming language ecosystem that has remained undetected for three years. Cyberthreat analyst Kirill Boychenko of Socket Security reported the discovery on his blog , stating that the attackers have substituted the popular BoltDB database package used by thousands of organizations, including Shopify and Heroku.
BoltDB, located on GitHub at github.com/boltdb/bolt , was created nine years ago and stopped being updated a year after its release. The attackers used a technique called typosquatting to create a fake package at github.com/boltdb-go/bolt. The difference in name is minimal, but when the fake is installed, a backdoor appears in the project that allows remote code execution.
Despite the fact that the malicious version remained available on Go Module Proxy for three years, no traces of its widespread use were found. According to Boychenko, the fake package was imported only twice, both times by a single cryptocurrency project with only seven subscribers. Go does not keep download statistics, but the lack of stars and forks on GitHub over three years suggests that the module has not been widely distributed.
However, the incident revealed a vulnerability in the Go package management system. When first downloaded, the new package is cached by the Go Module Mirror service and remains available indefinitely. The attackers took advantage of this by first posting a harmless version, and then changing the Git tags so that the package looked legitimate when checked. At the same time, the malicious version continued to spread in the cache.
“This is one of the first documented cases of exploitation of the perpetual caching of Go modules,” Boychenko notes. In his opinion, the immutability of modules both improves the security of the ecosystem and creates opportunities for attacks. He called on developers to carefully check the integrity of packages before installation, analyze dependencies, and use tools for deep code auditing.
Socket Security has already sent a request to the Go team to remove boltdb-go, as well as another similar module bolt-db, which is not considered malicious. So far, there has been no official response from the Go developers.
A malicious package has been discovered in the Go programming language ecosystem that has remained undetected for three years. Cyberthreat analyst Kirill Boychenko of Socket Security reported the discovery on his blog , stating that the attackers have substituted the popular BoltDB database package used by thousands of organizations, including Shopify and Heroku.
BoltDB, located on GitHub at github.com/boltdb/bolt , was created nine years ago and stopped being updated a year after its release. The attackers used a technique called typosquatting to create a fake package at github.com/boltdb-go/bolt. The difference in name is minimal, but when the fake is installed, a backdoor appears in the project that allows remote code execution.
Despite the fact that the malicious version remained available on Go Module Proxy for three years, no traces of its widespread use were found. According to Boychenko, the fake package was imported only twice, both times by a single cryptocurrency project with only seven subscribers. Go does not keep download statistics, but the lack of stars and forks on GitHub over three years suggests that the module has not been widely distributed.
However, the incident revealed a vulnerability in the Go package management system. When first downloaded, the new package is cached by the Go Module Mirror service and remains available indefinitely. The attackers took advantage of this by first posting a harmless version, and then changing the Git tags so that the package looked legitimate when checked. At the same time, the malicious version continued to spread in the cache.
“This is one of the first documented cases of exploitation of the perpetual caching of Go modules,” Boychenko notes. In his opinion, the immutability of modules both improves the security of the ecosystem and creates opportunities for attacks. He called on developers to carefully check the integrity of packages before installation, analyze dependencies, and use tools for deep code auditing.
Socket Security has already sent a request to the Go team to remove boltdb-go, as well as another similar module bolt-db, which is not considered malicious. So far, there has been no official response from the Go developers.
