Single-Letter Go Module Typosquat Introduces Persistent Backdoor
Severity: High (Score: 67.5)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: module, single-letter, typosquat, typo, backdoor, uncovered, malicious
Severity indicators: backdoor
Summary
A malicious Go module named github.com/shopsprint/decimal has been discovered, impersonating the legitimate github.com/shopspring/decimal library. This typosquatting attack has been active since 2017 and was weaponized in August 2023, allowing attackers to deploy a persistent backdoor. The legitimate package is widely used, with over 38,000 known downloads, affecting numerous Go developers and applications reliant on high-precision arithmetic. Security researchers have confirmed the ongoing risk posed by this malicious package, which could compromise sensitive data and systems. Developers are urged to verify their dependencies to prevent exploitation. The current status of the threat remains active, with no immediate resolution reported. Key Points: • A malicious Go module has impersonated a widely used library since 2017. • The attack was weaponized in August 2023, introducing a persistent backdoor. • Developers are advised to check their dependencies to mitigate risks.
Detailed Analysis
**Impact** The attack affects Go developers and organizations relying on the widely adopted github.com/shopspring/decimal library, used in financial and analytics applications. Over 38,000 known projects have integrated the legitimate package, indicating a broad potential impact across multiple sectors globally. The malicious module introduced a persistent backdoor, risking unauthorized access and data compromise in affected software environments. **Technical Details** The attack vector is a software supply chain compromise via a single-letter typosquatting of the Go module name (shopsprint vs. shopspring). The malicious package was published in 2017 but weaponized starting August 2023 to deploy a live DNS-based backdoor. No CVEs or specific malware names were provided. The kill chain stage involves initial access through dependency confusion and persistence via the backdoor. No IOCs were explicitly mentioned. **Recommended Response** Immediately audit dependencies to ensure the correct github.com/shopspring/decimal module is used, removing any instances of github.com/shopsprint/decimal. Implement monitoring for unusual DNS activity originating from Go applications. Harden supply chain security by enforcing strict module verification and consider using tools that detect typosquatting in dependencies. No patch or CVE mitigation is available; focus on detection and dependency hygiene.
Source articles (2)
- Single-Letter Go Module Typosquat Drops DNS — Gbhackers · 2026-05-20
A newly uncovered software supply chain attack targeting Go developers demonstrates how a single-character typo can silently introduce a persistent backdoor. A malicious Go module, github.com/shopspri… - Hackers Use Single-Letter Go Module Typosquat to Deploy DNS — Cybersecuritynews · 2026-05-20
A seemingly innocent typo in a Go module name has been quietly serving a live backdoor for nearly three years. Security researchers uncovered a malicious package called github.com/shopsprint/decimal t…
Timeline
- 2017-01-01 — Malicious Go module created: The typosquatting module github.com/shopsprint/decimal was made available, mimicking a legitimate library.
- 2023-08-01 — Module weaponized: Attackers modified the malicious module to deploy a persistent backdoor, increasing its threat level.
- 2026-05-20 — Discovery of the attack: Security researchers uncovered the ongoing risk posed by the typosquatting module, prompting alerts to developers.
Related entities
- Malware (Attack Type)
- Supply Chain Attack (Attack Type)
- T1036 - Masquerading (Mitre Attack)
- T1195 - Supply Chain Compromise (Mitre Attack)
- Go (Mitre Attack)
- GitHub (Platform)