- Someone forked a popular database module and fitted it with malware
- The malicious fork was then cached and stored indefinitely
- It was then creatively hidden in plain sight to target Go developers
A software supply chain attack targeting developers on the Go platform was apparently hiding in plain sight for three years to spread malware, experts have warned.
Cybersecurity researchers from Socket Security uncovered and publicly spoke about the campaign, which started back in 2021, when someone took a relatively popular database module called BoltDB on GitHub and forked it. In the fork, they added malicious code, which granted the attacker backdoor access to compromised computers.
That instance was then cached indefinitely by the Go Module Mirror service.
Abusing Go Module Mirror
For those unfamiliar with Go Module Mirror, it is a proxy service operated by Google that caches and serves Go modules to improve reliability, availability, and performance. It ensures that Go modules remain accessible even if the original source is modified, deleted, or becomes temporarily unavailable.
After the instance was cached, the attacker changed the Git tags in the source repository, to redirect visitors to the benign version, essentially hiding the malware in plain sight.
“Once installed, the backdoored package grants the threat actor remote access to the infected system, allowing them to execute arbitrary commands,” security researcher Kirill Boychenko said in his report.
Speaking to TheHackerNews, Socket said this is one of the earliest recorded instances of threat actors taking advantage of the Go Module Mirror service.
“This is possible because Git tags are mutable unless explicitly protected,” Socket said. “A repository owner can delete and reassign a tag to a different commit at any time. However, the Go Module Proxy had already cached the original malicious version, which was never updated or removed from the proxy, allowing the attack to persist.”
The malicious version ended up permanently accessible through the Go Module Proxy, Boychenko explained. “While this design benefits legitimate use cases, the threat actor exploited it to persistently distribute malicious code despite subsequent changes to the repository.”
Boychenko said that he reported his findings and awaits for the removal of the malicious content: “As of this publication, the malicious package remains available on the Go Module Proxy. We have petitioned for its removal from the module mirror and have also reported the threat actor’s GitHub repository and account, which were used to distribute the backdoored boltdb-go package.”
