Poisoned Go programming language package lay undetected for 3 years

Updated A security researcher says a backdoor masquerading as a legitimate Go programming language package used by thousands of organizations was left undetected for years.

Kirill Boychenko, threat intelligence analyst at Socket Security, blogged today about what seems to be a supply chain attack on the BoltDB database module, which is depended on by more than 8,000 other packages and major organizations such as Shopify and Heroku.

BoltDB, the legitimate URL of which is github.com/boltdb/bolt, was created nine years ago but was declared complete by the author a year later and hasn't been updated since.

The malicious copycat uses the popular typosquatting technique to try to trick users into downloading it. Should a developer happen to confuse the legitimate package with the copycat (github.com/boltdb-go/bolt – subtle difference), they would end up having a backdoor that allows remote code execution (RCE) in their project.

The malicious version is still searchable on the Go Module Proxy and has been left undetected for three years, says Boychenko, who sent a request to Go for its removal.

Fortunately, it also appears to have gone undetected by many project maintainers, with only two imports of the backdoored version recorded – both by a single cryptocurrency project with just seven followers.

There's no way of knowing how many times the package has been downloaded, though, since Go doesn't track the metric. Looking at the dodgy version's GitHub page, however, it shows zero stars or forks, and no pull requests made in three years, suggesting it has flown largely under the radar.

Regardless, Boychenko says the way in which the creator exploited Go's package system highlights a flaw that requires greater understanding among developers.

The original boltdb-go package was published to GitHub. When it is first requested, the Go Module Mirror service caches the package and makes it available indefinitely.

The malicious project author then modified the project's Git tags to point to the legitimate version (boltdb) so that a manual review of boltdb-go wouldn't reveal any signs of foul play, all while the malicious version was still being served to unsuspecting developers.

"This attack is among the first documented instances of a malicious actor exploiting the Go Module Mirror's indefinite caching of modules," says Boychenko in his write-up. "While no prior cases have been reported publicly, this incident highlights a critical need to raise awareness of similar persistence tactics in the future.

• North Koreans clone open source projects to plant backdoors, steal credentials
• Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
• Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed
• Encryption backdoor debate 'done and dusted,' former White House tech advisor says

"With immutable modules offering both security benefits and potential abuse vectors, developers and security teams should monitor for attacks that leverage cached module versions to evade detection."

Go's immutable modules mean baddies can't go into a popular package and modify its code after being downloaded, which is a boon to the ecosystem's security and underpins many of the features the Go team cites that help mitigate software supply chain attacks.

However, Go's immutability means once a malicious version such as boltdb-go is cached, it's there forever. It continues to be served to Go devs in its harmful state.

"To mitigate supply chain threats, developers should verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level," Boychenko adds.

"Ensuring that Go's module ecosystem remains resilient against such attacks requires ongoing vigilance, improved security mechanisms, and better awareness of how threat actors exploit software distribution channels."

Socket reported boltdb-go and a similar bolt-db, which wasn't deemed malicious, to Go's devs for permanent removal so neither can be misused in the future.

The Register asked the Go team to comment, and it didn't immediately respond. ®

Updated at 16.02 UTC on February 12, 2025, to add:

Following publication of this article, Google has finally got back to us to confirm the module has been "removed from both the Go module proxy and GitHub, and we've added it to the Go vulnerability database for anyone who thinks they may have been impacted.

"We are addressing this through fixes like capability analysis via Capslock and running comparisons with deps.dev. We want to thank Socket and the Go team contributors that detected the module and are addressing fixes. We'll continue to work with the wider industry to raise awareness around common open source security issues like these and work being done through initiatives like SLSA and OpenSSF."