<![CDATA[(socket.dev) Typosquatted Go Module Weaponized with DNS-Based Command and Control: Analysis of github.com/shopsprint/decimal]]>

<![CDATA[(socket.dev) Typosquatted Go Module Weaponized with DNS-Based Command and Control: Analysis of github.com/shopsprint/decimal]]>(socket.dev) Typosquatted Go Module Weaponized with DNS-Based Command and Control: Analysis of github.com/shopsprint/decimal

New supply chain threat: Typosquatted Go module github.com/shopsprint/decimal (v1.3.3) backdoors systems via DNS TXT-based C2. Module remains accessible via Go proxy despite repo takedown.

In brief - A malicious Go module impersonating the popular shopspring/decimal library was weaponized in August 2023 with a DNS-based backdoor. The attack abuses Go's init() function to execute arbitrary commands from TXT records, posing a persistent risk to developers.

Technically - The typosquatted github.com/shopsprint/decimal (v1.3.3) abuses Go's init() function to poll dnslog-cdn-images.freemyip.com every 5 minutes for TXT records, executing returned commands via os/exec.Command. The C2 leverages dynamic DNS and evades detection by preserving the legitimate API. Detection requires auditing go.mod for the typosquatted import and scanning for anomalous imports (net, os/exec, time) in non-network libraries.

Source: https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor

#Cybersecurity #ThreatIntel

]]>https://board.circlewithadot.net/topic/3720e7de-e500-4270-aeed-e21750b89027/socket.dev-typosquatted-go-module-weaponized-with-dns-based-command-and-control-analysis-of-github.com-shopsprint-decimalRSS for NodeMon, 25 May 2026 11:24:28 GMTTue, 19 May 2026 17:58:55 GMT60