Malicious Go Packages Impersonate Google’s UUID Library and Exfiltrate Data

The Socket Threat Research Team discovered two malicious Go packages, github[.]com/bpoorman/uuid and github[.]com/bpoorman/uid, which mimic trusted UUID libraries and exfiltrate data using a covert function called Valid. This function encrypts data and sends it to the dpaste service using a hardcoded API token, making use of the legitimate appearance of these packages to avoid detection. Despite being reported, the malicious packages remain accessible and pose a threat to developers who might unknowingly incorporate them into their applications. The legitimate github.com/google/uuid and github.com/pborman/uuid libraries are widely used in Go applications, making them attractive targets for such supply chain attacks. The malicious packages are designed to blend in with these popular libraries, escalating the risk of data theft, including sensitive information like credentials if used in CI or deployment pipelines. To mitigate such risks, defenders are advised to rigorously vet new dependencies, employ security tools like Socket's scanner and CLI, and monitor for unexpected network activities or cryptographic operations in new libraries. By integrating these defensive measures, teams can better detect and prevent the adoption of malicious packages similar to those discovered.