A security researcher says a backdoor masquerading as a legitimate Go programming language package used by thousands of organizations was left undetected for years.
Kirill Boychenko, threat intelligence analyst at Socket Security, blogged today about what seems to be a supply chain attack on the BoltDB database module, which is depended on by more than 8,000 other packages and major organizations such as Shopify and Heroku.
BoltDB, the legitimate URL of which is github.com/boltdb/bolt, was created nine years ago but was declared complete by the author a year later and hasnāt been updated since.
The malicious copycat uses the popular typosquatting technique to try to trick users into downloading it. Should a developer happen to confuse the legitimate package with the copycat (github.com/boltdb-go/bolt ā subtle difference), they would end up having a backdoor that allows remote code execution (RCE) in their project.
The malicious version is still searchable on the Go Module Proxy and has been left undetected for three years, says Boychenko, who sent a request to Go for its removal.
Fortunately, it also appears to have gone undetected by many project maintainers, with only two imports of the backdoored version recorded ā both by a single cryptocurrency project with just seven followers.
Thereās no way of knowing how many times the package has been downloaded, though, since Go doesnāt track the metric. Looking at the dodgy versionās GitHub page, however, it shows zero stars or forks, and no pull requests made in three years, suggesting it has flown largely under the radar.
Regardless, Boychenko says the way in which the creator exploited Goās package system highlights a flaw that requires greater understanding among developers.
The original boltdb-go package was published to GitHub. When it is first requested, the Go Module Mirror service caches the package and makes it available indefinitely.
The malicious project author then modified the projectās Git tags to point to the legitimate version (boltdb) so that a manual review of boltdb-go wouldnāt reveal any signs of foul play, all while the malicious version was still being served to unsuspecting developers.
āThis attack is among the first documented instances of a malicious actor exploiting the Go Module Mirrorās indefinite caching of modules,ā says Boychenko in his write-up. āWhile no prior cases have been reported publicly, this incident highlights a critical need to raise awareness of similar persistence tactics in the future.
North Koreans clone open source projects to plant backdoors, steal credentials
Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed
Encryption backdoor debate ādone and dusted,ā former White House tech advisor says
āWith immutable modules offering both security benefits and potential abuse vectors, developers and security teams should monitor for attacks that leverage cached module versions to evade detection.ā
Goās immutable modules mean baddies canāt go into a popular package and modify its code after being downloaded, which is a boon to the ecosystemās security and underpins many of the features the Go team cites that help mitigate software supply chain attacks.
However, Goās immutability means once a malicious version such as boltdb-go is cached, itās there forever. It continues to be served to Go devs in its harmful state.
āTo mitigate supply chain threats, developers should verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level,ā Boychenko adds.
āEnsuring that Goās module ecosystem remains resilient against such attacks requires ongoing vigilance, improved security mechanisms, and better awareness of how threat actors exploit software distribution channels.ā
Socket reported boltdb-go and a similar bolt-db, which wasnāt deemed malicious, to Goās devs for permanent removal so neither can be misused in the future.
The Register asked the Go team to comment, and it didnāt immediately respond. Ā®
