VDB
GCVE-110-OSM-2023-8
GCVE-110-OSM-2023-8
Advisory PublishedCVSS 8.8/10
Typosquat of the popular shopspring/decimal Go module (38,634+ importers). The v1.3.3 release injected a malicious init() function that spawns a background goroutine polling DNS TXT records every five minutes to receive and execute arbitrary commands at the importing process privileges. Trust-then-poison pattern: versions 1.0.0-1.3.2 were benign clones before weaponization on 2023-08-19. The malicious repo and publisher account have been removed from GitHub, but the Go Module Proxy permanently caches the module, so dependent builds remain at risk.
Malicious payload found in: decimal.go (commit 2f0ee073c6f29d66188a845592029c9b52528f04)
Trigger: init() function executes on package import
Mechanism: Spawns background goroutine that queries DNS TXT records of dnslog-cdn-images.freemyip.com every 5 minutes. The decoded TXT response is executed as a shell command at the host process privileges. The A record for the domain resolves to 8.8.8.8 as a decoy.
File hashes:
Module zip SHA-256: dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086
decimal.go SHA-256: 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41
decimal.go SHA-1: fd26f4ca4746ee390e22043a5e19ebf2b7fcd1f9
decimal.go MD5: e3c6ce0440d9acd0f1cef1f0da3cdb5d
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | github.com/shopsprint/decimal | v1.3.3 (weaponized); v1.0.0-v1.3.2 benign (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.