The Magic Go Package Exploits the Module Mirror Caching for Consistent Remote Access

Feb 04, 2025Ravie LakshmananVulnerability / Threat Intelligence

Researchers in security have identified a software supply chain attack that targets the Go ecosystem and involves a destructive package that enables the adversary to gain remote access to sick systems.

The package, named , is a typosquat of the legitimate BoltDB database module ( ), per Socket. In November 2021, the malicious version ( 1. 3. 1 ) was made available on Git Hub, and the service cached it indefinitely.

Security scientist Kirill Boychenko in an examination that “once installed, the backdoored bundle grants the threat actor remote access to the sick system, allowing them to perform random commands.”

According to Socket, the growth is one of the earliest situations of a nefarious actor abusing the Go Module Mirror’s endless cache of modules to deceive users into downloading the package. The perpetrator is alleged to have modified the Git keywords in the supply repository to point them to the mild version in the future.

The storage device kept innocent developers installing the item using the head CLI from downloading the backdoored variant, despite the false approach ensuring that a manual audit of the GitHub repository did not uncover any harmful content.

” When a package version is cached, it remains available through the Go Module Proxy, even if the original cause is eventually modified”, Boychenko said. The danger actor continued to distribute malicious code despite the repository’s following changes, despite the fact that this design benefits genuine use cases.

Developers and protection teams should be on the lookout for attacks that use cached program versions because eternal modules offer both security benefits and possible abuse vectors.

The development comes as Cycode three malicious npm packages – serve-static-corell, openssl-node, and next-refresh-token – that harbored obfuscated code to collect system metadata and run arbitrary commands issued by a remote server ( “8.152.163 [. ] 60” ) on the infected host.

Found this post exciting? Follow us on and Twitter to access more unique information we article.

Leave a Comment