Go Module Mirror served backdoor to devs for 3+ years
1 min read
Summary
A malicious package with a backdoor had been present on Google’s Go Module Mirror proxy service for more than three years, despite attempts by researchers to have it removed.
The service, which caches open-source packages for the Go programming language to improve download speeds and compatibility, was exploited using a technique known as typosquatting.
This involved creating a malicious package with a name similar to a popular legitimate one, allowing the malicious version to be redirected to users who made a simple typing error when downloading.
The package was named boltdb-go/bolt, similar to the real name boltdb/bolt, which was relied upon by more than 8,367 other packages.
The malicious package was removed following an alert raised on 7 November 2021, but the Go Module Mirror had cached the backdoored version, which remained available for download for the following three years.
