Poisoned Go programming language package lay undetected for 3 years www.theregister.com/2025/02/0…

A security researcher says a backdoor masquerading as a legitimate Go programming language package used by thousands of organizations was left undetected for years. Kirill Boychenko, threat intelligence analyst at Socket Security, blogged today about what seems to be a supply chain attack on the BoltDB database module, which is depended on by more than 8,000 other packages and major organizations such as Shopify and Heroku. BoltDB, the legitimate URL of which is github.com/boltdb/bolt, was created nine years ago but was declared complete by the author a year later and hasn’t been updated since.

The malicious copycat uses the popular typosquatting technique to try to trick users into downloading it. Should a developer happen to confuse the legitimate package with the copycat (github.com/boltdb-go/bolt – subtle difference), they would end up having a backdoor that allows remote code execution (RCE) in their project. The malicious version is still searchable on the Go Module Proxy and has been left undetected for three years, says Boychenko, who sent a request to Go for its removal.

Fortunately, it also appears to have gone undetected by many project maintainers, with only two imports of the backdoored version recorded – both by a single cryptocurrency project with just seven followers.