Researchers with cybersecurity firm Socket have uncovered a sophisticated software supply chain attack affecting the Go programming language ecosystem. The attack involves a malicious package, disguised as a legitimate database module, that allows threat actors to remotely access infected systems.
The malicious package, named ‘github.com/boltdb-go/bolt’, is a typosquatted version of the authentic BoltDB database module (github.com/boltdb/bolt). The malicious variant, version 1.3.1, was published to GitHub in November 2021 and has since been cached indefinitely by the Go Module Mirror service, a repository that serves Go modules.
Once the backdoored package is installed, it grants the attacker remote access to the victim's system, enabling them to execute arbitrary commands. This is one of the first known cases of a malicious actor exploiting the Go Module Mirror’s caching system to persistently distribute malware, the researchers noted.
The attack started with the threat actor uploading a malicious version of the package to GitHub. The attacker modified the Git tags within the source repository to redirect users to a clean version of the module. However, the Go Module Proxy had already cached the malicious version, meaning developers who installed the package would unknowingly receive the backdoored version.
The manipulation of Git tags is what made this attack so difficult to detect, the researchers explained. Git tags, by default, are mutable, meaning that repository owners can change them at will. This allowed the attacker to modify the tag for version 1.3.1, redirecting users to a non-malicious commit, even though the originally cached version in the Go Module Proxy remained compromised.
