Posted in

Hidden Backdoor Found in Popular Go Packages

by Rakesh0

The Go programming ecosystem has been hit by a long-running supply chain attack that secretly targeted developers for more than four years. Security researchers from the Socket Threat Research Team uncovered two malicious Go packagesgithub.com/bpoorman/uuid and github.com/bpoorman/uid—designed to steal sensitive data while masquerading as legitimate UUID libraries.

This incident highlights the growing danger of software supply chain attacks, open-source typosquatting, and hidden data exfiltration backdoors in developer environments.

Fake Go Packages Mimic Popular UUID Libraries

The malicious packages were created to look nearly identical to two widely downloaded and trusted Go libraries:

  • github.com/google/uuid
  • github.com/pborman/uuid

The attacker used the deceptive username bpoorman—intentionally similar to pborman, the maintainer of a popular UUID library. This technique, known as typosquatting, relies on developers accidentally mistyping import paths.

Because these legitimate UUID libraries are used in millions of Go applications, even a small typo—typing bpoorman instead of pborman—was enough to install a harmful package without any warning.

To avoid suspicion, the fake package fully replicated the behavior of the real UUID generator, making the malicious code extremely stealthy and hard to detect.

How the Malicious Go Package Steals Data

Inside the malicious bpoorman/uuid package, researchers discovered a hidden backdoor function named Valid. This function appears harmless and mimics the naming of legitimate utility functions.

However, its behavior is anything but safe.

Malicious Behavior Embedded Inside Valid():

  • ✔ Still generates UUIDs normally
  • ✔ Accepts user data, identifiers, and tokens
  • Secretly encrypts the input data
  • Uploads the stolen information to dpaste.com, a public paste-sharing service
  • ❌ Uses a hardcoded API token to transmit the data
  • ❌ Leaves no logs, alerts, or unusual output

This backdoor enabled attackers to silently collect:

  • User session tokens
  • Internal user identifiers
  • Email addresses
  • Sensitive application metadata
  • Any data passed into the Valid function

This is a textbook example of covert data exfiltration via compromised open-source packages.

A Threat Active for More Than Four Years

The extent of this attack is especially concerning.

  • The malicious bpoorman/uuid package was first uploaded in May 2021
  • It remained live and undetected for over four years
  • It was still discoverable through pkg.go.dev
  • The related bpoorman/uid package was removed from search results but remained accessible through public mirrors

This persistence demonstrates how open-source ecosystem vulnerabilities can remain unnoticed when attackers use subtle methods like:

  • Name impersonation
  • Backdoor embedding
  • Function-level tampering
  • Mimicking legitimate library behavior

For years, unsuspecting Go developers may have unknowingly integrated backdoored code into production systems.

Recommended Actions for Go Developers

To mitigate the threat and prevent future incidents, security experts recommend:

1. Audit project dependencies immediately

Search for github.com/bpoorman/uuid or github.com/bpoorman/uid in:

  • go.mod
  • imported packages
  • vendor directories

Remove them immediately if found.

2. Verify import paths before installation

Avoid manually typing long package names. Use:

  • copy-paste
  • IDE autocomplete
  • dependency managers

This reduces typosquatting risks.

3. Implement automated supply chain security tools

Use dependency scanners and monitoring tools to detect:

  • malicious imports
  • suspicious package behavior
  • dependency tampering

4. Restrict outbound network access

Block default access to public paste services such as:

  • dpaste.com
  • Pastebin
  • Ghostbin

This limits potential data exfiltration channels.

5. Monitor dependency reputation and maintainer history

Always verify:

  • maintainer legitimacy
  • repository creation date
  • contribution patterns
  • popularity and community reviews

A Growing Warning Sign for the Go & Open-Source Ecosystem

This attack underscores a critical truth: software supply chain security is now one of the most important pillars of cybersecurity.

As attackers increasingly exploit open-source ecosystems like Go, Python, JavaScript (npm), PyPI, Rust (crates.io) and others, developers and security teams must adopt stronger:

  • dependency validation
  • package authenticity checks
  • continuous monitoring
  • static and dynamic code scanning

The Go community—and the broader open-source world—must remain vigilant to prevent similar long-term infiltrations.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *