216.73.217.139

Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

· Published 20/05/2026 05:16 · Modified 21/05/2026 00:37

Export JSON

Essential information

Published
20/05/2026 05:16
Modified
21/05/2026 00:37
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
c2 channel decimal library dns backdoor dynamic dns go ecosystem init function supply chain attack typosquatting
Tags
2026-05-20 c2 channel decimal library dns backdoor dynamic dns go ecosystem init function supply chain attack typosquatting
Related entities
3 indicators, 3 observables, 15 techniques (mitre), 1 others

Description

A long-running campaign impersonated the widely used shopspring/decimal Go library by publishing github.com/shopsprint/decimal, differing by a single character. Active since November 2017, the package remained benign through seven releases until being weaponized in August 2023 with version v1.3.3. This version introduced a malicious init() function that executes automatically on import, establishing a DNS TXT record-based command and control channel to dnslog-cdn-images.freemyip.com. The backdoor polls every five minutes and executes arbitrary commands returned via TXT records. Although the GitHub repository and owner account have been deleted, the malicious module remains permanently cached and accessible through Go's module proxy system, continuing to pose a supply chain risk to developers who mistype the package name.

External references