Cybersecurity experts have raised alarms about a recent software supply chain attack targeting the Go programming ecosystem. This attack involves a malicious package that provides unauthorized remote access to compromised systems.
Details of the Malicious Package
The package, identified as github.com/boltdb-go/bolt, serves as a deceptive variant of the legitimate BoltDB database module (github.com/boltdb/bolt). Security firm Socket discovered this malicious version (1.3.1) uploaded to GitHub in November 2021. The Go Module Mirror service has cached it indefinitely.
How the Attack Works
Once developers install this backdoored package, attackers gain remote access to the infected system. This access allows them to execute arbitrary commands.
This incident highlights how malicious actors exploit the Go Module Mirror’s indefinite caching policy. After the initial upload, the attacker altered the Git tags in the source repository. This change redirected users to the legitimate version of the package.
Evasion of Detection
This clever tactic ensures that a manual review of the GitHub repository uncovers no malicious code. Meanwhile, the caching mechanism allows unsuspecting developers to download the compromised version when using the Go command-line interface (CLI).
Boychenko noted that once a module version is cached, it remains available through the Go Module Proxy. Even if the original source changes, the cached version persists. While this design serves legitimate purposes, attackers exploit it to distribute malicious code continuously.
Implications for Developers
The implications of this incident highlight the dual nature of immutable modules. They can offer security advantages but also present opportunities for abuse. Developers and security teams must remain vigilant. Monitoring for attacks that utilize cached module versions is essential to bypass detection.
Related Threats in the Ecosystem
In a related development, cybersecurity firm Cycode reported on three malicious npm packages: serve-static-corell, openssl-node, and next-refresh-token. These packages contained obfuscated code designed to gather system metadata and execute commands from a remote server (“8.’152.’163.’60”) on compromised machines.
Sources:
