A hidden hazard has been lurking within the Go programming ecosystem for over 4 years.
Safety researchers from the Socket Risk Analysis Group have found two malicious software program packages that impersonate well-liked Google instruments.
These pretend packages, designed to trick busy builders, have been quietly stealing information since Could 2021.
The malicious packages are recognized as github.com/bpoorman/uuid and github.com/bpoorman/uid.
They’re designed to look virtually equivalent to the reputable and broadly used pborman and Google UUID libraries.
These actual libraries are the trade commonplace for producing distinctive identifiers for database rows, consumer periods, and job monitoring.
The “Typosquatting” Lure
The attacker, utilizing the username “bpoorman,” used a method referred to as “typosquatting.”
By selecting a reputation visually much like “pborman” (a reputable maintainer), the attacker hoped builders would mistype the identify or miss out on the distinction in an extended record of dependencies.
![page for the malicious github[.]com/bpoorman/uuid Go package](https://gbhackers.com/wp-content/uploads/2025/12/image-27-1024x458.png)
github[.]com/bpoorman/uuid Go bundleCrucially, the pretend software program truly works. It generates distinctive IDs identical to the actual model. This permits it to remain hidden, as the applying doesn’t crash or present apparent errors. Nonetheless, the pretend code accommodates a secret backdoor.
The malicious code features a helper perform named Legitimate. Within the reputable software program, builders may anticipate a perform with this identify to test if an ID is formatted accurately. Within the pretend model, it does one thing rather more harmful.
When a developer passes information into this Legitimate perform equivalent to consumer IDs, electronic mail addresses, and even session tokens the code secretly encrypts that data.
It then sends the stolen information to dpaste.com, a public text-sharing web site, utilizing a hardcoded API token. The attacker can then retrieve this information anonymously.
As a result of the info is encrypted earlier than it leaves the sufferer’s pc, commonplace safety instruments won’t discover that delicate secrets and techniques are being stolen.
Regardless of being printed years in the past, these packages have remained obtainable on the Go bundle discovery website and public mirrors.
![Excerpt from the threat actor’s github[.]com/bpoorman/uid repository showing the uid.go exfiltration code](https://gbhackers.com/wp-content/uploads/2025/12/image-28-1024x580.png)
github[.]com/bpoorman/uid repository displaying the uid.go exfiltration code Whereas the general public index reveals “0 imports,” researchers warn that that is deceptive.
The index doesn’t rely downloads from non-public company repositories or inside instruments, which means the precise variety of affected programs is unknown.
Socket has reported each packages to the Go safety workforce and requested that the writer’s account be suspended.
Builders are strongly suggested to audit their tasks and guarantee they’re utilizing github.com/google/uuid or github.com/pborman/uuid, and never the malicious “bpoorman” imposter.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
