In a startling revelation, it has come to light that a backdoored version of a widely used Go module was hosted on Google’s Go Module Mirror for over three years. This incident underscores the subtle yet severe implications of typosquatting within software repositories—a technique where malicious versions mimic the names of legitimate packages to deceive developers. The compromised package, a rogue version of the boltdb/bolt, managed to remain under the radar by exploiting the caching mechanism meant to boost performance and compatibility within the Go ecosystem.
The mechanism of attack was not overly sophisticated but remarkably effective. By creating a typosquatted repository and pushing a backdoored version, the threat actors ensured that even after the original source was rectified, the tainted code continued to be served by the Go Module Mirror. This persistent availability facilitated a potentially widespread compromise before eventual detection and takedown of the malicious module.
Source: Go Module Mirror served backdoor to devs for 3+ years - Ars Technica
Also I have found a cool video explaining the report in more depth: https://www.youtube.com/watch?v=2QLtDGqgop8
Also the mentioned GitHub repo is not accessible right now but that but it used to be hosted here: https://github.com/boltdb-go/bolt
lemme know what you think.
peace out.