- Someone spent a popular database module and equipped it with malware
- The malicious fork was then chatted and stored indefinitely
- He was then creatively hidden at the sight of targeting Go Go developers
A software supply chain attack targeting developers on the GO platform apparently hidden for three years to spread malware, experts warned.
Socket Security cybersecurity researchers discovered and spoke publicly the campaign, which started in 2021, when someone took a relatively popular database module called Boltdb on Github and stuffed it. In the fork, they added malicious code, which granted access to the door stolen to the attacker to compromise compromises.
This instance was then cache indefinitely by the mirror service of the GO module.
Abuse from the Go module mirror
For those who are not familiar with the mirror of the GO module, it is a proxy service used by Google which hides and serves Go modules to improve reliability, availability and performance. It guarantees that Go modules remain accessible even if the original source is modified, deleted or temporarily becomes unavailable.
After the body’s cache, the attacker changed the labels git in the source repository, to redirect visitors to the benign version, essentially hiding malware on sight.
“Once installed, the rear package grants the threat to the threat of remote access to the infected system, allowing them to execute arbitrary orders,” said security researcher Kirill Boychenko in his report.
Talk to ThehackernewsSocket said that this is one of the first recorded cases of threatening actors taking advantage of the mirror service of the Go module.
“This is possible because the Git labels are mutable unless explicitly,” said Socket. “A benchmark owner can delete and reassign a tag at a different commitment at any time. However, the Go module proxy had already cachered the original malicious version, which has never been updated or deleted from the proxy, allowing the attack to persist. “
The malicious version ended up permanently accessible thanks to the Go Module Proxy, explained Boychenko. “Although this conception benefits legitimate use cases, the threat actor exploited it to constantly distribute a malicious code despite the subsequent modifications of the repository.”
Boychenko said he had pointed out his conclusions and awaited the deletion of malicious content: “Since this publication, the malicious package remains available on the Go module. We have asked for its withdrawal from the module mirror and also reported the benchmark and the GitHub account of the threat actor, who were used to distribute the Boltdb-Go package on the back. »»
