Originally published at ssojet

In February 2025, researchers at Socket uncovered a significant supply chain attack within the Go programming ecosystem. A malicious package, named github.com/boltdb-go/bolt, impersonated the legitimate and widely-used BoltDB module. This backdoored package exploited the Go Module Proxy's caching mechanism to persist undetected for years, highlighting vulnerabilities in module management systems.

The Go Module Proxy caches modules indefinitely to ensure consistent builds. While this immutability offers reproducible builds, it also risks retaining malicious modules even if the source repository is altered. The attack demonstrated how attackers exploit package management systems through techniques like typosquatting, similar to incidents in npm and PyPI. Developers should verify package names and sources before installation and regularly audit dependencies to catch signs of tampering.

Malicious Go Package

Image courtesy of The Hacker News

Caching in

The Go Module Mirror, operated by Google, hosted a backdoored version of a widely used module since November 2021. The malicious module, boltdb-go/bolt, utilized typosquatting—a technique where attackers create files with names similar to legitimate ones. If a developer mistypes the package name, they could inadvertently install the malicious version.

The backdoored module first appeared on GitHub. Although the repository was reverted to the legitimate version, the Go Module Mirror cached the backdoored one, making it available for three years. "The success of this attack relied on the Go Module Proxy's design, which prioritizes caching for performance," Socket researchers noted. Once cached, the malicious module remained accessible, even after the original source was modified.

Cybersecurity

Image courtesy of The Hacker News

Poisoned Go Programming Language Package

Security researchers observed that the backdoored package had remained undetected for years, affecting thousands of organizations using the legitimate BoltDB database module. The legitimate BoltDB module, found at github.com/boltdb/bolt, was declared complete in 2016 and has not been updated since.

The malicious copycat package leveraged typosquatting, making it difficult for developers to distinguish between the two variants. If a developer confused the names, they risked introducing a backdoor that allowed remote code execution in their project. The malicious package was still searchable on the Go Module Proxy and had evaded detection for years.

Kirill Boychenko, a threat intelligence analyst at Socket, pointed out that the attack showcases flaws in Go's package system. "This attack is among the first documented instances of a malicious actor exploiting the Go Module Mirror's indefinite caching of modules," Boychenko stated.

Techstrong Gang Youtube

Image courtesy of DevOps.com

Typosquat Supply Chain Attack Targets Go Developers

The malicious package grants hackers control over infected systems. Published in November 2021, the package typosquats the legitimate BoltDB module, which is used by numerous organizations, including Shopify and Heroku. The attack demonstrates how a bad actor can exploit features in the Go Module Mirror, particularly the indefinite caching of modules.

Once the malicious version was cached, even subsequent changes to the GitHub repository did not remove the backdoored variant from circulation. "With immutable modules offering both security benefits and potential abuse vectors, developers and security teams should monitor for attacks that leverage cached module versions to evade detection," Boychenko advised.

AWS

Image courtesy of Cloud Native Now

Bad Actor Targets Linux, macOS Developers with Typosquatted Go Packages

In early February, threat researchers detailed a separate three-year typosquatting campaign where bad actors targeted developers with a backdoor impersonating widely used Go modules. The attacker published at least seven malicious packages on the Go Module Mirror.

These packages used names similar to popular libraries, aiming to trick developers into inadvertently installing malware. The Go Module Mirror's caching mechanism allows outdated and potentially compromised modules to remain accessible.

Mitch Ashley, VP at The Futurum Group, explained that this caching could lead developers to use compromised modules even when updates are available. "Unless explicitly triggered by a developer, the cache may be outdated and have a compromised module cached," he noted.

Implementing Secure User Management

To protect against such supply chain threats, organizations should implement secure Single Sign-On (SSO) solutions and user management systems. SSOJet offers an API-first platform that features directory sync, SAML, OIDC, and magic link authentication. These tools greatly enhance the security of user management, allowing developers to focus on building applications without compromising security.

Organizations can mitigate the risks associated with typosquatting and supply chain attacks through proactive package integrity verification and continuous monitoring of dependencies. By leveraging SSOJet's services, enterprises can ensure robust authentication and user management practices.

Explore SSOJet's services or contact us at https://ssojet.com to learn more about how we can help secure your organization.