VDB
GCVE-110-OSM-2023-3
GCVE-110-OSM-2023-3
Advisory PublishedCVSS 8.8/10
Malicious GitHub repository hosting a typosquat of shopspring/decimal. The owner account shopsprint and the repository were deleted from GitHub, but the malicious v1.3.3 module remains permanently cached in the Go Module Proxy. The repository was used to publish v1.3.3 containing a DNS-TXT-based command execution backdoor in decimal.go via the init() function. Trust-then-poison pattern: versions 1.0.0-1.3.2 were benign before weaponization on 2023-08-19.
Malicious commit: 2f0ee073c6f29d66188a845592029c9b52528f04
File: decimal.go
Behavior: init() spawns a goroutine that polls DNS TXT records of dnslog-cdn-images.freemyip.com every 5 minutes and executes the returned content as shell commands.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected), * (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected) | — | |
| OpenSSF: Package Analysis | i18n_sonder | all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected) | — |
Aliases
References
Malicious package:
advisory
Malicious package:
advisory
Malicious package:
advisory
Malicious package:
advisory
Browse GCVE Records
71,925 records in the GCVE database · Updated July 13, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.