A hidden hazard has been lurking within the Go programming ecosystem for over 4 years.
Safety researchers from the Socket Risk Analysis Workforce have found two malicious software program packages that impersonate widespread Google instruments.
These faux packages, designed to trick busy builders, have been quietly stealing knowledge since Could 2021.
The malicious packages are recognized as github.com/bpoorman/uuid and github.com/bpoorman/uid.
They’re designed to look nearly an identical to the reliable and broadly used pborman and Google UUID libraries.
These actual libraries are the business commonplace for producing distinctive identifiers for database rows, person periods, and job monitoring.
The “Typosquatting” Lure
The attacker, utilizing the username “bpoorman,” used a way known as “typosquatting.”
By selecting a reputation visually much like “pborman” (a reliable maintainer), the attacker hoped builders would mistype the identify or fail to spot the distinction in a protracted listing of dependencies.
![page for the malicious github[.]com/bpoorman/uuid Go package](https://gbhackers.com/wp-content/uploads/2025/12/image-27-1024x458.png)
github[.]com/bpoorman/uuid Go package dealCrucially, the faux software program truly works. It generates distinctive IDs identical to the actual model. This enables it to remain hidden, as the applying doesn’t crash or present apparent errors. Nonetheless, the faux code comprises a secret backdoor.
The malicious code features a helper perform named Legitimate. Within the reliable software program, builders would possibly count on a perform with this identify to examine if an ID is formatted accurately. Within the faux model, it does one thing far more harmful.
When a developer passes knowledge into this Legitimate perform akin to person IDs, e-mail addresses, and even session tokens the code secretly encrypts that data.
It then sends the stolen knowledge to dpaste.com, a public text-sharing web site, utilizing a hardcoded API token. The attacker can then retrieve this knowledge anonymously.
As a result of the info is encrypted earlier than it leaves the sufferer’s pc, commonplace safety instruments won’t discover that delicate secrets and techniques are being stolen.
Regardless of being revealed years in the past, these packages have remained obtainable on the Go package deal discovery website and public mirrors.
![Excerpt from the threat actor’s github[.]com/bpoorman/uid repository showing the uid.go exfiltration code](https://gbhackers.com/wp-content/uploads/2025/12/image-28-1024x580.png)
github[.]com/bpoorman/uid repository displaying the uid.go exfiltration code Whereas the general public index reveals “0 imports,” researchers warn that that is deceptive.
The index doesn’t rely downloads from personal company repositories or inner instruments, that means the precise variety of affected techniques is unknown.
Socket has reported each packages to the Go safety workforce and requested that the creator’s account be suspended.
Builders are strongly suggested to audit their tasks and guarantee they’re utilizing github.com/google/uuid or github.com/pborman/uuid, and never the malicious “bpoorman” imposter.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
