A seemingly innocent typo in a Go module name has been quietly serving a live backdoor for nearly three years. Security researchers uncovered a malicious package called github.com/shopsprint/decimal that impersonates the popular github.com/shopspring/decimal library, differing by just a single letter in its name.
The package went live in 2017 but was weaponized in August 2023, when attackers slipped in a hidden function that opens a covert command-and-control channel over DNS records.
The attack targets Go developers working on financial software, billing systems, cryptocurrency platforms, and analytics tools.
These developers rely on the legitimate shopspring/decimal library for precise arithmetic calculations without rounding errors.
The fake package mirrors the real one so closely that any project importing it will compile and run normally, with no visible errors or unusual output to raise suspicion.
Researchers at Socket.dev, who shared their findings in a report with Cyber Security News (CSN), identified the rogue module and traced its activity to the exact moment it was weaponized.
The malicious version is v1.3.3, published on August 19, 2023, just seven minutes after a clean release was pushed to create the illusion of normal maintenance.
Seven earlier versions were entirely harmless, a deliberate strategy to build trust before the attack was finally triggered.
What makes this threat especially serious is how it survives even after the original GitHub account was deleted. The Go Module Proxy at proxy.golang.org permanently caches every published version of a module as part of Go’s reproducibility guarantee.
That means the malicious v1.3.3 remains fully accessible to any developer who runs go get with that package path today, with absolutely no warning.
The threat actor stayed silent for years, building a persistent foothold inside development environments worldwide.
With a beacon firing every five minutes and no visible process activity, the backdoor could go undetected for weeks or months on any machine that imported the compromised package.
Hackers Use Single-Letter Go Module Typosquat
The entire difference between the safe package and the dangerous one is a single character. The legitimate library is shopspring, while the typosquat uses shopsprint, replacing the final g with a t.
A developer typing quickly, copying from memory, or relying on autocomplete could easily end up with the wrong module without realizing it.
The malicious version introduces three new imports into the source file: net, os/exec, and time. None of these belong in a decimal math library, and their presence is the clearest technical signal that something is wrong.
The attack activates the moment any Go binary importing the package is run, because the payload lives inside an init() function that Go executes at startup before any other code runs. Importing the typosquatted module anywhere in a project’s dependency tree is enough to start the C2 loop.
The DNS-Based Backdoor Explained
Once triggered, the malicious init() launches a background loop that contacts a DNS subdomain every five minutes, requesting a TXT record.
TXT records are a DNS entry type used to hold arbitrary text, which the attacker uses to deliver operating system commands directly to infected machines.
The subdomain acting as the command server is dnslog-cdn-images[.]freemyip[.]com, hosted on a free dynamic DNS provider that the attacker fully controls.
Whatever command the TXT record contains is passed directly to the operating system for execution. The results are captured and discarded, leaving no output, no logs, and no visible trace.
Since DNS traffic rarely triggers the same alarms as outbound HTTP, this method lets the attacker issue commands while staying below the radar of most security tools.
If a developer or CI system ran code pulling in version v1.3.3, Socket.dev recommends treating that host as compromised. Credentials on that machine, including Git tokens, cloud keys, and SSH keys, should be rotated immediately.
Teams should audit their Go module files for github.com/shopsprint/decimal and replace it with the correct package.
Monitoring DNS traffic for queries to freemyip[.]com from build or production environments is strongly advised, as the provider has no legitimate role in standard Go toolchains.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Malicious Go Module | github.com/shopsprint/decimal (v1.3.3) | Typosquatted Go module with embedded DNS backdoor |
| Malicious Commit Hash | 2f0ee073c6f29d66188a845592029c9b52528f04 | Git commit introducing the init() backdoor function |
| SHA-256 (Module ZIP) | dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086 | Hash of the v1.3.3 malicious module zip artifact |
| SHA-256 (decimal.go) | 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41 | Hash of the trojanized decimal.go source file |
| SHA1 (decimal.go) | fd26f4ca4746ee390e22043a5e19ebf2b7fcd1f9 | SHA1 hash of trojanized decimal.go |
| MD5 (decimal.go) | e3c6ce0440d9acd0f1cef1f0da3cdb5d | MD5 hash of trojanized decimal.go |
| C2 Domain | dnslog-cdn-images[.]freemyip[.]com | Hardcoded DNS TXT C2 subdomain; queried every 5 minutes |
| Parent Domain | freemyip[.]com | Free dynamic DNS provider hosting the C2 subdomain |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
