Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
The package, named github.com/boltdb-go/bolt, is a typosquat of the legitimate BoltDB database module (github.com/boltdb/bolt), per Socket. The malicious version (1.3.1) was published to GitHub in November 2021, following which it was cached indefinitely by the Go Module Mirror service.
"Once installed, the backdoored package grants the threat actor remote access to the infected system, allowing them to execute arbitrary commands," security researcher Kirill Boychenko said in an analysis.
Socket said the development marks one of the earliest instances of a malicious actor abusing the Go Module Mirror's indefinite caching of modules to trick users into downloading the package. Subsequently, the attacker is said to have modified the Git tags in the source repository in order to redirect them to the benign version.
In a statement shared with The Hacker News, the company pointed out that the change was made in the GitHub repository, which was a forked version of the legitimate BoltDB tool, where the threat actor rewrote the Git tag for v1.3.1 to point to a clean commit instead of the original malicious version.
"This is possible because Git tags are mutable unless explicitly protected," Socket said. "A repository owner can delete and reassign a tag to a different commit at any time. However, the Go Module Proxy had already cached the original malicious version, which was never updated or removed from the proxy, allowing the attack to persist."
This deceptive approach ensured that a manual audit of the GitHub repository did not reveal any malicious content, while the caching mechanism meant that unsuspecting developers installing the package using the go CLI continued to download the backdoored variant.
"Once a module version is cached, it remains accessible through the Go Module Proxy, even if the original source is later modified," Boychenko said. "While this design benefits legitimate use cases, the threat actor exploited it to persistently distribute malicious code despite subsequent changes to the repository."
"With immutable modules offering both security benefits and potential abuse vectors, developers and security teams should monitor for attacks that leverage cached module versions to evade detection."
The development comes as Cycode detailed three malicious npm packages – serve-static-corell, openssl-node, and next-refresh-token – that harbored obfuscated code to collect system metadata and run arbitrary commands issued by a remote server ("8.152.163[.]60") on the infected host.
Update
In an advisory posted about github.com/boltdb-go/bolt on February 5, 2025, the maintainers of the Go Module Mirror service said: "This module is a malicious typosquat, attempting to take advantage of confusion with the github.com/boltdb/bolt module."
![⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [3 February]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA8HuSGC2Bi7PiuXHsj4JvmjwxIgTeHQTgl-ASOMLbCMt4S4kyr-0Vuuzb-YaJeoTIhleDmVGZr0H1b4OfH_o21T4kZnMVi7o4ulwngKAxahuadmkyRr4i7N8z3KOJbI5x_stxthWafp_lpWuuyieh2yuIqA1V8vdeCss9jAFDO0M1uf0bNvBkGMkwPlqk/w72-h72-p-k-no-nu/recap-article.png "⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [3 February]")
