Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
Essential information
- Published
- 20/05/2026 05:16
- Modified
- 21/05/2026 00:37
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- c2 channel decimal library dns backdoor dynamic dns go ecosystem init function supply chain attack typosquatting
- Tags
- 2026-05-20 c2 channel decimal library dns backdoor dynamic dns go ecosystem init function supply chain attack typosquatting
- Related entities
- 3 indicators, 3 observables, 15 techniques (mitre), 1 others
Description
A long-running typosquatting campaign impersonated the widely used shopspring/decimal Go library by publishing github.com/shopsprint/decimal, differing by a single character. Active since November 2017, the package remained benign through seven releases until being weaponized in August 2023 with version v1.3.3. This version introduced a malicious init() function that executes automatically on import, establishing a DNS TXT record-based command and control channel to dnslog-cdn-images.freemyip.com. The backdoor polls every five minutes and executes arbitrary commands returned via TXT records. Although the GitHub repository and owner account have been deleted, the malicious module remains permanently cached and accessible through Go's module proxy system, continuing to pose a supply chain risk to developers who mistype the package name.