Socket's Threat Research Team discovered a long-running typosquat of the popular Go library github.com/shopspring/decimal, published as github.com/shopsprint/decimal (swapping 'g' for 't'). The malicious module existed benignly since 2017 before being weaponized in August 2023 with version v1.3.3, which added an init() function that opens a DNS TXT record-based command-and-control channel. The C2 polls a free dynamic DNS subdomain every five minutes and executes any command returned as a TXT record via os/exec.Command. Despite the GitHub repository and owner account being deleted, the malicious release remains permanently cached and fetchable via proxy.golang.org. The attack went undetected for approximately 33 months. Developers are advised to audit go.mod files for the typosquatted path, replace it with the canonical library, and treat any affected build hosts as compromised. Security teams should sinkhole the C2 domain and baseline DNS TXT queries from build infrastructure.
Table of contents
The shopspring/decimal Package #Release Timeline and the Trust-Then-Poison Pattern #How the Backdoor Triggers on Import #Command and Control Infrastructure #Go Module Proxy Persistence #Impact #Recommendations #MITRE ATT&CK #Indicators of Compromise (IOCs) #Sort: