VDB

GCVE-110-OSM-2023-8

GCVE-110-OSM-2023-8
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published August 19, 2023
Typosquat of the popular shopspring/decimal Go module (38,634+ importers). The v1.3.3 release injected a malicious init() function that spawns a background goroutine polling DNS TXT records every five minutes to receive and execute arbitrary commands at the importing process privileges. Trust-then-poison pattern: versions 1.0.0-1.3.2 were benign clones before weaponization on 2023-08-19. The malicious repo and publisher account have been removed from GitHub, but the Go Module Proxy permanently caches the module, so dependent builds remain at risk. Malicious payload found in: decimal.go (commit 2f0ee073c6f29d66188a845592029c9b52528f04) Trigger: init() function executes on package import Mechanism: Spawns background goroutine that queries DNS TXT records of dnslog-cdn-images.freemyip.com every 5 minutes. The decoded TXT response is executed as a shell command at the host process privileges. The A record for the domain resolves to 8.8.8.8 as a decoy. File hashes: Module zip SHA-256: dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086 decimal.go SHA-256: 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41 decimal.go SHA-1: fd26f4ca4746ee390e22043a5e19ebf2b7fcd1f9 decimal.go MD5: e3c6ce0440d9acd0f1cef1f0da3cdb5d

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngithub.com/shopsprint/decimalv1.3.3 (weaponized); v1.0.0-v1.3.2 benign (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›