Researchers in security have identified a software supply chain attack that targets the Go ecosystem and involves a malignant package that enables the adversary to gain remote access to sick systems.
The package, named , is a typosquat of the legitimate BoltDB database module ( ), per Socket. In November 2021, the malicious version ( 1. 3. 1 ) was made available on Git Hub, and the service cached it indefinitely.
Security scientist Kirill Boychenko in an examination that “once installed, the backdoored bundle grants the threat actor remote access to the sick system, allowing them to perform random commands.”
One of the earliest situations of a harmful professional abusing the Go Module Mirror’s endless caching of modules to deceive users into downloading the package, Socket claimed. The perpetrator is alleged to have later changed the supply repository’s Git tags to point them to the mild version.
The caching mechanism kept the backdoored variant from being able to be downloaded by innocent developers installing the package using the head CLI, ensuring that a regular audit of the GitHub repository did not uncover any harmful content.
” When a package version is cached, it remains available through the Go Module Proxy, even if the original cause is eventually modified”, Boychenko said. Although this design benefits genuine use cases, the threat actor exploited it to consistently deliver malicious code despite revisions to the repository later.”
Developers and protection teams should be on the lookout for attacks that use cached program versions because eternal modules offer both security benefits and possible abuse vectors.
The development comes as Cycode three malicious npm packages – serve-static-corell, openssl-node, and next-refresh-token – that harbored obfuscated code to collect system metadata and run arbitrary commands issued by a remote server ( “8.152.163 [. ] 60” ) on the infected host.