Feed
HighPublished 19 May 20261 package · 1 version

shopsprint/decimal Go typosquat ships a DNS-TXT command-and-control backdoor

Summary

Socket disclosed a long-running Go typosquat of github.com/shopspring/decimal published as github.com/shopsprint/decimal (single-letter swap, t for g). The typosquat was registered 2017-11-08 and was weaponised on 2023-08-19 in v1.3.3, which adds a malicious init() that polls a free-dynamic-DNS subdomain for TXT-record commands every five minutes and executes the response via os/exec. Dwell time before disclosure: ~33 months.

typosquatdns-exfiltrationdormant-domainobfuscation
Detected by
Socket
Ecosystems
Go
Packages tracked
1

What happened

On 2026-05-19 Socket's Threat Research team published a disclosure of github.com/shopsprint/decimal, a single-letter typosquat of the widely-used github.com/shopspring/decimal arbitrary-precision arithmetic library (~1.2k dependents in the Go ecosystem). The typosquatted repository was created on 2017-11-08 and shadowed the upstream release cadence — v1.0.0, v1.0.1, v1.1.0, v1.3.2 all built and behaved identically to the genuine library.

On 2023-08-19 the operator quietly published v1.3.3 with a tiny malicious init() function added to the package. Because init() runs at package load time, any Go program that imports the typosquat — directly or transitively — executes the payload at process start, with no required call into the decimal API. The payload launches a background goroutine that issues a DNS TXT lookup against a fixed subdomain on the free dynamic-DNS provider freemyip.com every five minutes. The TXT record's contents are passed straight to os/exec, giving the operator interactive command execution on every infected host with no HTTP traffic to inspect.

Why it stayed buried

DNS-TXT C2 is invisible to most CI/CD and production network telemetry, which focuses on HTTP/HTTPS egress. Five-minute beacons and silent error handling mean a poisoned binary can sit idle for weeks before the operator issues a command. The init() payload is ~30 lines of Go and matches the rest of the package's coding style, which let it slip past human review even after the malicious tag was visible on GitHub.

By the time Socket disclosed, the shopsprint GitHub account and repository had already been removed — but proxy.golang.org permanently caches Go module tarballs, so the malicious v1.3.3 remains downloadable and pkg.go.dev still lists the module. Anyone with a go.sum entry for github.com/shopsprint/decimal v1.3.3 will still build the malicious binary.

Scope

Socket's disclosure does not publish a victim list, and pkg.go.dev does not surface known importers of the typosquat. The only authoritative signal is per-host: search go.mod / go.sum / vendor directories for the string shopsprint/decimal. The 33-month dwell time gives an upper bound on possible exposure for any project that pinned the typosquat at any point since the 2023-08-19 weaponisation.

Affected packages (1)

  • Gogithub.com/shopsprint/decimal
    v1.3.3

Impact

  • Arbitrary command execution on every host that imported github.com/shopsprint/decimal v1.3.3 — the malicious init() runs at process start
  • Stealthy DNS-TXT command channel: no HTTP traffic, beacons polled every 5 minutes from dnslog-cdn-images.freemyip.com
  • 33-month dwell time means production binaries built any time since 2023-08-19 may still be reaching for the C2 domain
  • Goes after Go developers building financial software, billing systems, cryptocurrency platforms, and analytics tools — the same demographic that depends on the real shopspring/decimal
  • GitHub repo and shopsprint owner account were removed, but the malicious module remains permanently served by proxy.golang.org and listed on pkg.go.dev

What to do

  1. 1Grep your go.mod / go.sum / vendor directories for github.com/shopsprint/decimal — the typosquat is t (sprint) not g (spring) — and switch every import to the legitimate github.com/shopspring/decimal
  2. 2For any build host that compiled or ran a binary depending on shopsprint/decimal v1.3.3, treat the host as compromised: rotate cloud creds, SSH keys, signing keys, and any secrets the binary could read
  3. 3For any production binary that may have shipped v1.3.3, rebuild against the legitimate library and redeploy; block egress to *.freemyip.com until the fleet is rotated
  4. 4Audit network logs for outbound DNS TXT queries to dnslog-cdn-images.freemyip.com from any host that may have run a tainted build
  5. 5Add github.com/shopsprint/* to internal proxy/registry deny-lists so a typo can't reintroduce the dependency

References

go-2026-05-19-shopsprint-decimal-dns-backdoor