A hidden hazard has been lurking within the Go programming ecosystem for over 4 years.
Safety researchers from the Socket Risk Analysis Workforce have found two malicious software program packages that impersonate in style Google instruments.
These faux packages, designed to trick busy builders, have been quietly stealing knowledge since Might 2021.
![Socket AI Scanner’s analysis of the malicious github[.]com/bpoorman/uuid package](https://gbhackers.com/wp-content/uploads/2025/12/image-26.png)
The malicious packages are recognized as github.com/bpoorman/uuid and github.com/bpoorman/uid.
They’re designed to look virtually an identical to the legit and broadly used pborman and Google UUID libraries.
These actual libraries are the trade commonplace for producing distinctive identifiers for database rows, consumer classes, and job monitoring.
The “Typosquatting” Lure
The attacker, utilizing the username “bpoorman,” used a way referred to as “typosquatting.”
By selecting a reputation visually just like “pborman” (a legit maintainer), the attacker hoped builders would mistype the title or fail to see the distinction in an extended listing of dependencies.
![page for the malicious github[.]com/bpoorman/uuid Go package](https://gbhackers.com/wp-content/uploads/2025/12/image-27-1024x458.png)
github[.]com/bpoorman/uuid Go package dealCrucially, the faux software program really works. It generates distinctive IDs identical to the actual model. This enables it to remain hidden, as the appliance doesn’t crash or present apparent errors. Nonetheless, the faux code accommodates a secret backdoor.
The malicious code features a helper perform named Legitimate. Within the legit software program, builders would possibly count on a perform with this title to test if an ID is formatted accurately. Within the faux model, it does one thing way more harmful.
When a developer passes knowledge into this Legitimate perform comparable to consumer IDs, e mail addresses, and even session tokens the code secretly encrypts that info.
It then sends the stolen knowledge to dpaste.com, a public text-sharing web site, utilizing a hardcoded API token. The attacker can then retrieve this knowledge anonymously.
As a result of the information is encrypted earlier than it leaves the sufferer’s laptop, commonplace safety instruments may not discover that delicate secrets and techniques are being stolen.
Regardless of being revealed years in the past, these packages have remained obtainable on the Go package deal discovery web site and public mirrors.
![Excerpt from the threat actor’s github[.]com/bpoorman/uid repository showing the uid.go exfiltration code](https://gbhackers.com/wp-content/uploads/2025/12/image-28-1024x580.png)
github[.]com/bpoorman/uid repository exhibiting the uid.go exfiltration code Whereas the general public index exhibits “0 imports,” researchers warn that that is deceptive.
The index doesn’t depend downloads from non-public company repositories or inner instruments, that means the precise variety of affected programs is unknown.
Socket has reported each packages to the Go safety crew and requested that the creator’s account be suspended.
Builders are strongly suggested to audit their initiatives and guarantee they’re utilizing github.com/google/uuid or github.com/pborman/uuid, and never the malicious “bpoorman” imposter.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most well-liked Supply in Google.
