(socket.dev) Typosquatted Go Module Weaponized with DNS-Based Command and Control: Analysis of github.com/shopsprint/decimal
-
(socket.dev) Typosquatted Go Module Weaponized with DNS-Based Command and Control: Analysis of github.com/shopsprint/decimal
New supply chain threat: Typosquatted Go module github.com/shopsprint/decimal (v1.3.3) backdoors systems via DNS TXT-based C2. Module remains accessible via Go proxy despite repo takedown.
In brief - A malicious Go module impersonating the popular shopspring/decimal library was weaponized in August 2023 with a DNS-based backdoor. The attack abuses Go's init() function to execute arbitrary commands from TXT records, posing a persistent risk to developers.
Technically - The typosquatted github.com/shopsprint/decimal (v1.3.3) abuses Go's init() function to poll dnslog-cdn-images.freemyip.com every 5 minutes for TXT records, executing returned commands via os/exec.Command. The C2 leverages dynamic DNS and evades detection by preserving the legitimate API. Detection requires auditing go.mod for the typosquatted import and scanning for anomalous imports (net, os/exec, time) in non-network libraries.
Source: https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor
-
R relay@relay.infosec.exchange shared this topic
