Update February 6: Google has removed the package and provided the following statement:
The module has been removed from both the Go module proxy and GitHub, and we’ve added it to the Go vulnerability database for anyone who thinks they may have been impacted. We are addressing this through fixes like capability analysis via Capslock and running comparisons with deps.dev. We want to thank Socket and the Go team contributors that detected the module and are addressing fixes. We’ll continue to work with the wider industry to raise awareness around common open source security issues like these and work being done through initiatives like SLSA and OpenSSF.
A malicious typosquat package has been found in the Go language ecosystem. The package, which contains a backdoor to enable remote code execution, was discovered by researchers at the application security company Socket.
A February 3 Socket blog post states that the package impersonates the widely used Bolt database module. The BoltDB package is widely adopted in the Go ecosystem, with 8,367 packages dependent on it, according to the blog. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malware and hide it from manual review. Developers who manually audited github.com/boltdb-go/bolt on GitHub did not find traces of malicious code. But downloading the package via the Go Module Proxy retrieved an original backdoored version. This deception went undetected for more than three years, allowing the malicious package to persist in the public repository.