One of several dubious repositories flagged by custom-built tool

Researcher discovers Go typosquatting package that relays system information to Chinese tech firm

UPDATED A Go package that relays system information to a Chinese IP address was one of several suspicious repositories uncovered during an investigation into typosquatting in the Go ecosystem.

Using a tool he built for the research project, GitLab security engineer Michael Henriksen scanned all 731 GitHub and GitLab hosted packages from the Go Module Index, surfacing seven dubious packages in all.

Typosquatting refers to malicious packages with near-identical names to those of legitimate packages, uploaded to repositories in the hope that developers will mistype the package name and inadvertently download the rogue version.

BACKGROUND Software supply chain attacks – everything you need to know

Henriksen’s tool, ‘Pkgtwist’, scours Golang package import paths for various permutations of every package owner’s username, and when a match is found cross-references their package names.

Using typogenerater, he configured the tool to find examples of typosquatting by omission (for example stretchr becomes strechr), repetition (gobuffalo/gobuffallo), bitsquatting (stretchr/strftchr), and transposition (stretchr/strethcr).

All systems (info) Go

One of two packages deemed to warrant further investigation purported to be the GitHub ‘cli’ repository that is widely used for building CLI (command-line interface) Go projects.

The package’s penultimate commit “introduces a highly suspicious init function” that extracts “hostname, operating system, and architecture of all the machines using their version of urfave/cli”, said Henriksen in a blog post.

The function “then calls out to the IP address belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters”.

While this doesn’t give them system access, the author – ‘utfave’, a near-copy of legitimate cli author ‘urfave’ – “can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting”, said the researcher.

“I reported this repository to GitHub and hope to see it taken down in the near future,” he added.

He urged users of cli and GitHub logging package ‘logrus’, which was imitated by the other imposter package of particular concern, to make sure their projects were not using the typosquatting versions.

He also said he would monitor the other five flagged packages “as they could in theory become malicious at any time”.

Automation drawback

“The fact that developers have to explicitly write out which module to import in every file where they want to use an external package makes it less likely that any confusion can happen,” Henriksen told The Daily Swig. This also means the novel dependency confusion attack vector that surfaced in the wild recently poses no credible threat to the Go ecosystem, he points out.

However, “code editor automation could increase the chances of an evil dependency living for a longer time in a Go project because a developer would typically write the import manually once, and then the editor takes over and adds the import automatically to other files from then on.

“So if the developer is so unfortunate to mistype the package import path on the first import, they might not notice it for a while since they won't be importing it manually anymore in other files. The editor will just happily add the malicious import for them.”

All an attacker has to do to typosquat on the host domain is register “a common typo of” or, simpler still, “register a new user on GitHub, or any other open package host, with a common typo of the package owner’s username”.

Read more of the latest open source software security news

Henriksen said programming languages such as NPM for JavaScript, Rubygems for Ruby, and PyPI for Python “have been plagued for years” by typosquatting attacks, but intimated that the Golang ecosystem’s vulnerability was comparatively under-researched.

Surprised that his extensive (but non-exhaustive) trawl had yielded only seven suspicious packages, the researcher declared himself “happy to see that the Go ecosystem isn’t completely infested (yet)”.

‘Lucrative’ target

That's apparently less true of malware strains, however, whose prevalence in Golang has soared by 2,000% in the last four years, according to a report published last week by cybersecurity firm Intezer.

Natalie Page, threat intelligence analyst at Talion, thinks the comparative rarity of Go code makes it “an attractive and lucrative” target.

“Currently Golang produce’s a much lower detection rate against security software when compared with popular malware code languages such as C & Python, C++,” she says.

Go is also attractive because of the “ease at which the same code can be utilised across multiple platforms for targeting against Windows, Mac, and Linux”, she adds.

“It is particularly concerning to see sophisticated threat groups such as Fancy Bear, adopting this tactic to create Golang versions of their already extremely successful tooling such as Zebrocy.”

This article was updated with comments from Michael Henriksen on March 1.

YOU MIGHT ALSO LIKE Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior