- Someone forked a popular database module and mounted it with malware
- The malicious fork then became cache and stored indefinitely
- It then was creatively hidden in sight to target go -developers
A software supply chain attack that targeted developers on the GO platform apparently hid in clear vision for three years to spread malware, experts have warned.
CyberSecurity scientists from Socket Security revealed and talked publicly about the campaign that started back in 2021 when someone took a relatively popular database module called Boltdb on GitHub and gaffing it. In the fork, they added malicious code that gave the striker back door access to compromised computers.
This body then became cache indefinitely by the GO module Mirror Service.
Abuse of GO module mirror
For those who are not familiar with the GO module mirror, it is a proxy service driven by Google that caches and serves GO modules to improve reliability, accessibility and performance. It ensures that GO modules remain available even if the original source is changed, deleted or temporarily unavailable.
After the occurrence was cache, the striker changed git tags in the source storage site to redirect visitors to the benign version and essentially hide malware in ordinary vision.
“Once installed, the back -dead package gives the threat actor remote access to the infected system, allowing them to perform arbitrary commands,” security researcher Kirill Boychenko said in his report.
Talking to ThehackernewsSocket said this is one of the earliest recorded cases of threat actors who benefit from GO Modul Mirror Service.
“This is possible because git tags are mutable unless explicitly protected,” Socket said. “A depot owner can delete and assign a mark to another obligation at any time. However, the GO module’s proxy was already cache the original malicious version, which was never updated or removed from proxy, enabling the attack to continue.”
The malicious version ended permanently accessible through the GO modulproxy, Boychenko explained. “While this design benefits legitimate use cases, the threat actor exploited it to constantly distribute malicious code despite subsequent changes in the repository.”
Boychenko said he reported his conclusions and is waiting for the removal of the malicious content: “From this publication, the malicious package remains available on Go Module -Proxy. We have arranged for removal from the module mirror and have also reported on the threat actor’s GitHub archive and account used to distribute the Bag-Doored Boltdb-GO package. “
