A recent discovery has shown that a minor typo in a Go module name has been silently providing a backdoor for attackers for almost three years. Security experts have uncovered a malicious package dubbed github.com/shopsprint/decimal, which closely mimics the legitimate github.com/shopspring/decimal library, differing only by a single letter.
Subtlety of the Attack
First introduced in 2017, the package was weaponized in August 2023. At this time, attackers embedded a covert command-and-control channel via DNS records into the module. This attack primarily targets Go developers involved in financial software, billing systems, cryptocurrency platforms, and analytics tools.
The genuine shopspring/decimal library is crucial for precise arithmetic operations without rounding errors. The malicious variant mirrors the real one so closely that projects using it experience no visible errors or unusual behavior, allowing it to go unnoticed.
Technical Investigation and Findings
Socket.dev researchers, in collaboration with Cyber Security News (CSN), identified the rogue module and traced its weaponization to August 19, 2023—just seven minutes after a legitimate update. This timing creates the illusion of normal software maintenance. Previous versions of the module were harmless, a tactic aimed at establishing trust before launching the attack.
One of the most significant concerns is that the malicious version remains accessible even after the original GitHub account was deleted. This is due to Go’s reproducibility guarantee, which ensures that all published module versions are cached permanently at proxy.golang.org, making the backdoor perpetually available.
Mechanics of the DNS-Based Backdoor
The backdoor activates when a Go binary importing the compromised package runs. It uses an init() function to start a background loop that contacts a DNS subdomain every five minutes, requesting a TXT record. These records are used to deliver system commands directly to infected machines.
The command server, dnslog-cdn-images[.]freemyip[.]com, is hosted on a dynamic DNS provider under the attacker’s control. Commands are executed silently, leaving no trace, as DNS traffic typically does not trigger standard security alerts.
Protective Measures and Recommendations
Developers and CI systems that have utilized version v1.3.3 should assume their systems are compromised. Immediate actions include rotating credentials such as Git tokens, cloud keys, and SSH keys, auditing Go module files to replace the typosquatted package, and monitoring DNS traffic for suspicious queries.
Indicators of compromise, such as specific hashes and domain names, have been identified to aid in the detection of this threat. Developers are advised to remain vigilant and ensure their software supply chains are secure from such subtle yet impactful attacks.
