Go Module Mirror Backdoor: 3-Year Supply Chain Attack Exposed
Blog post from SSOJet
In February 2025, researchers discovered a supply chain attack targeting the Go programming ecosystem, where a malicious package, github.com/boltdb-go/bolt, impersonated the legitimate BoltDB module. The attack exploited the Go Module Proxy's caching mechanism, allowing the backdoored package to remain undetected for years by leveraging typosquatting, a tactic where attackers create misleadingly named packages. This vulnerability in the module management system highlighted the risks associated with the indefinite caching of modules, as attackers could maintain access to systems even after changes to the original repositories. The malicious package, which enabled remote code execution, was first introduced in November 2021 and continued affecting organizations using the legitimate BoltDB database module by tricking developers into installing it with a simple typo. Security experts recommended proactive verification and auditing of dependencies to mitigate such risks, while solutions like SSOJet were suggested to enhance user management security and protect against similar threats.
No tracked trend matches for this post yet.