Recent findings by cybersecurity researchers have unveiled a software supply chain attack that specifically targets the Go programming ecosystem. This operation involves a harmful package engineered to provide adversaries with remote access to compromised systems.
The malicious package, identified as github.com/boltdb-go/bolt, is a deceptive imitation of the legitimate BoltDB database module found at github.com/boltdb/bolt. According to the cybersecurity firm Socket, the malicious iteration (version 1.3.1) was introduced on GitHub in November 2021 and subsequently cached indefinitely by the Go Module Mirror service.
Upon installation, this backdoored package allows attackers to gain remote access to the infected system, enabling the execution of arbitrary commands. Kirill Boychenko, a researcher at Socket, remarked that this incident highlights one of the initial cases where a malicious actor has exploited the indefinite caching mechanism of the Go Module Mirror to deceive users into downloading their compromised package. The assailant later manipulated the Git tags in the source repository, redirecting them toward a clean version.
In a formal statement released to The Hacker News, Socket explained that the malicious GitHub repository was a fork of the legitimate BoltDB module. The perpetrator modified the Git tag for version 1.3.1, pointing it to a safe commit, effectively obscuring the malware in plain sight.
“Git tags are mutable unless specifically safeguarded,” Socket noted. “This means repository owners can delete and reassign tags at any time. However, the Go Module Proxy retained the original malicious version, which was never updated or removed, allowing this attack to remain effective.” This tactic ensured that a manual review of the GitHub repository would not uncover any harmful content and that unsuspecting developers would continue to download the backdoored package using the Go command-line interface.
Once a module version is cached by the Go Module Proxy, it remains accessible even after modifications are made to the source. Boychenko emphasized that while this design supports legitimate use cases, it has been exploited by the attacker to consistently distribute malicious code despite changes being made to the original repository.
As developers and security teams absorb the implications of this attack, they should be vigilant regarding cached module vulnerabilities that can be leveraged to bypass detection. The evolution of this incident comes as Cycode recently detailed three malicious npm packages—serve-static-corell, openssl-node, and next-refresh-token—that concealed obfuscated code intended to gather system metadata and execute commands from a remote server on infected machines.
In an advisory issued on February 5, 2025, concerning the malicious package github.com/boltdb-go/bolt, the maintainers of the Go Module Mirror confirmed its classification as a malicious typosquatted package designed to exploit user confusion with the legitimate BoltDB module.
