Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor

HomeCyber Security News Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor By Tushar Subhra Dutta May 20, 2026 A seemingly innocent typo in a Go module name has been quietly serving a live backdoor for nearly three years. Security researchers uncovered a malicious package called github.com/shopsprint/decimal that impersonates the popular github.com/shopspring/decimal library, differing by just a single letter in its name. The package went live in 2017 but was weaponized in August 2023, when attackers slipped in a hidden function that opens a covert command-and-control channel over DNS records. The attack targets Go developers working on financial software, billing systems, cryptocurrency platforms, and analytics tools. These developers rely on the legitimate shopspring/decimal library for precise arithmetic calculations without rounding errors. The fake package mirrors the real one so closely that any project importing it will compile and run normally, with no visible errors or unusual output to raise suspicion. Researchers at Socket.dev, who shared their findings in a report with Cyber Security News (CSN), identified the rogue module and traced its activity to the exact moment it was weaponized. The malicious version is v1.3.3, published on August 19, 2023, just seven minutes after a clean release was pushed to create the illusion of normal maintenance. Seven earlier versions were entirely harmless, a deliberate strategy to build trust before the attack was finally triggered. What makes this threat especially serious is how it survives even after the original GitHub account was deleted. The Go Module Proxy at proxy.golang.org permanently caches every published version of a module as part of Go’s reproducibility guarantee. That means the malicious v1.3.3 remains fully accessible to any developer who runs go get with that package path today, with absolutely no warning. The threat actor stayed silent for years, building a persistent foothold inside development environments worldwide. With a beacon firing every five minutes and no visible process activity, the backdoor could go undetected for weeks or months on any machine that imported the compromised package. Hackers Use Single-Letter Go Module Typosquat The entire difference between the safe package and the dangerous one is a single character. The legitimate library is shopspring, while the typosquat uses shopsprint, replacing the final g with a t. A developer typing quickly, copying from memory, or relying on autocomplete could easily end up with the wrong module without realizing it. The malicious version introduces three new imports into the source file: net, os/exec, and time. None of these belong in a decimal math library, and their presence is the clearest technical signal that something is wrong. The attack activates the moment any Go binary importing the package is run, because the payload lives inside an init() function that Go executes at startup before any other code runs. Importing the typosquatted module anywhere in a project’s dependency tree is enough to start the C2 loop. The DNS-Based Backdoor Explained Once triggered, the malicious init() launches a background loop that contacts a DNS subdomain every five minutes, requesting a TXT record. TXT records are a DNS entry type used to hold arbitrary text, which the attacker uses to deliver operating system commands directly to infected machines. The subdomain acting as the command server is dnslog-cdn-images[.]freemyip[.]com, hosted on a free dynamic DNS provider that the attacker fully controls. Whatever command the TXT record contains is passed directly to the operating system for execution. The results are captured and discarded, leaving no output, no logs, and no visible trace. Since DNS traffic rarely triggers the same alarms as outbound HTTP, this method lets the attacker issue commands while staying below the radar of most security tools. If a developer or CI system ran code pulling in version v1.3.3, Socket.dev recommends treating that host as compromised. Credentials on that machine, including Git tokens, cloud keys, and SSH keys, should be rotated immediately. Teams should audit their Go module files for github.com/shopsprint/decimal and replace it with the correct package. Monitoring DNS traffic for queries to freemyip[.]com from build or production environments is strongly advised, as the provider has no legitimate role in standard Go toolchains. Indicators of Compromise (IoCs):- Type Indicator Description Malicious Go Module github.com/shopsprint/decimal (v1.3.3) Typosquatted Go module with embedded DNS backdoor Malicious Commit Hash 2f0ee073c6f29d66188a845592029c9b52528f04 Git commit introducing the init() backdoor function SHA-256 (Module ZIP) dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086 Hash of the v1.3.3 malicious module zip artifact SHA-256 (decimal.go) 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41 Hash of the trojanized decimal.go source file SHA1 (decimal.go) fd26f4ca4746ee390e22043a5e19ebf2b7fcd1f9 SHA1 hash of trojanized decimal.go MD5 (decimal.go) e3c6ce0440d9acd0f1cef1f0da3cdb5d MD5 hash of trojanized decimal.go C2 Domain dnslog-cdn-images[.]freemyip[.]com Hardcoded DNS TXT C2 subdomain; queried every 5 minutes Parent Domain freemyip[.]com Free dynamic DNS provider hosting the C2 subdomain Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released Linus Torvalds Says AI Bug Reports Have Made Linux Security Mailing List Unmanageable Latest News Cyber Security News Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware Cyber Security News GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure Cyber Security News Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability Cyber Security News New NGINX Vulnerability Allows Remote Attackers to Trigger Malicious Code Cyber Security News Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware