Malicious Go Packages Masquerade as Google’s UUID Library to Steal Sensitive Data
Security researchers have uncovered a prolonged supply chain attack targeting the Go programming community. The Socket Threat Research Team identified two malicious packages, `github.com/bpoorman/uuid` and `github.com/bpoorman/uid`, which have been covertly exfiltrating data from developers for years. This attack exploits a technique known as typosquatting, where malicious actors create packages with names similar to popular libraries, hoping developers will inadvertently install them due to minor typographical errors.
Discovery of Deceptive Go Packages
The malicious packages are meticulously crafted to resemble legitimate, widely-used libraries such as `github.com/google/uuid` and `github.com/pborman/uuid`. The attacker adopted the username `bpoorman` to closely mimic the reputable maintainer `pborman`. Given that these authentic libraries are downloaded millions of times and serve as standard utilities in Go applications, developers often recall and type their names from memory. A simple typo—entering bpoorman instead of pborman—can lead to the accidental installation of the malicious package.
Once integrated, the counterfeit package functions identically to its genuine counterpart, generating unique identifiers (UUIDs) as expected. This seamless operation makes the malicious activity exceedingly difficult to detect.
Mechanism of the Attack
While the package performs its anticipated tasks, it harbors a concealed threat. The attacker embedded a malicious helper function named `Valid`. In the legitimate library, a similar function would typically verify the correctness of an ID’s format. However, in this fraudulent version, the `Valid` function serves as a backdoor.
When developers pass data into this function—such as user IDs, session tokens, or email addresses—the code clandestinely encrypts the information. It then uploads the stolen data to `dpaste.com`, a public text-sharing platform, using a hardcoded API token. This exfiltration process occurs silently in the background, ensuring that sensitive information is leaked without triggering error messages or any overt signs of compromise.
Duration and Impact of the Threat
Alarmingly, this threat has persisted undetected for an extended period. The `bpoorman/uuid` package was first published in May 2021 and remained active in the Go ecosystem for over four years. At the time of its discovery, the malicious UUID package was still listed on `pkg.go.dev`, the primary platform for discovering Go packages.
Although the `uid` package was removed from the search index, it remains accessible through public mirrors. This incident underscores the critical need for developers to meticulously audit their dependencies.
Recommendations for Developers
To mitigate such risks, experts recommend that development teams thoroughly review their `go.mod` files to ensure they are importing the correct `pborman` and Google libraries, rather than the malicious `bpoorman` imposters. It’s imperative to treat every new dependency as untrusted until it has been thoroughly verified.
This discovery serves as a stark reminder of the vulnerabilities inherent in the software supply chain and the importance of vigilance in dependency management.
