This threat involves a long-running typosquatting campaign targeting the Go ecosystem by publishing a malicious package named shopsprint/decimal, differing by one character from the legitimate shopspring/decimal library. Initially benign, the package was weaponized in August 2023 by adding a malicious init() function that automatically executes on import. This function establishes a command and control channel using DNS TXT records from dnslog-cdn-images.freemyip.com, polling every five minutes to receive and execute arbitrary commands. Despite the takedown of the GitHub repository and owner account, the malicious module remains cached and accessible through Go's module proxy system, continuing to pose a supply chain threat to developers who mistakenly import it.

The malicious package enables remote attackers to execute arbitrary commands on systems that import the compromised module, via a DNS-based command and control channel. This can lead to unauthorized code execution and potential system compromise. The persistence of the malicious module in Go's module proxy cache means that developers who mistype the package name may unknowingly introduce this backdoor into their projects, creating a supply chain risk.

No official patch or fix is available since this is a malicious typosquatting package rather than a vulnerability in legitimate software. The malicious GitHub repository and owner account have been deleted, but the module remains cached in Go's module proxy system. Developers should verify package names carefully before importing and avoid using similarly named or untrusted packages. Consider clearing or bypassing the Go module proxy cache if the malicious module is suspected to be cached. Monitor dependency lists for suspicious or unexpected packages. There is no vendor advisory indicating an official fix or mitigation.