VDB

GCVE-110-OSM-2023-3

GCVE-110-OSM-2023-3
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published August 19, 2023
Malicious GitHub repository hosting a typosquat of shopspring/decimal. The owner account shopsprint and the repository were deleted from GitHub, but the malicious v1.3.3 module remains permanently cached in the Go Module Proxy. The repository was used to publish v1.3.3 containing a DNS-TXT-based command execution backdoor in decimal.go via the init() function. Trust-then-poison pattern: versions 1.0.0-1.3.2 were benign before weaponization on 2023-08-19. Malicious commit: 2f0ee073c6f29d66188a845592029c9b52528f04 File: decimal.go Behavior: init() spawns a goroutine that polls DNS TXT records of dnslog-cdn-images.freemyip.com every 5 minutes and executes the returned content as shell commands.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected), * (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected)
OpenSSF: Package Analysisi18n_sonderall (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected)

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›