One letter — ‘g’ swapped for ‘t’ — is all it takes to accidentally install a backdoor that phones home every five minutes using DNS, and the target library is embedded in financial software and cryptocurrency platforms.
shopsprint/decimal Typosquat Delivers DNS C2 Backdoor Against shopspring/decimal Users
Socket.dev researchers discovered github.com/shopsprint/decimal, a malicious Go module that impersonates the widely used github.com/shopspring/decimal precision arithmetic library through a single-character substitution: replacing the final ‘g’ with ‘t’ to produce ‘shopsprint’. The target library is a standard dependency in Go-based financial applications requiring precise decimal arithmetic — billing systems, cryptocurrency platforms, and financial analytics tools.
The malicious package deployed a DNS-based backdoor that contacts the C2 domain dnslog-cdn-images[.]freemyip[.]com every five minutes, querying for TXT records that contain operating system commands to execute on the compromised developer machine.
DNS-Based C2: Designed to Evade Standard Network Security Monitoring
DNS-based command-and-control is specifically chosen by sophisticated attackers to evade the network-layer security controls that commonly detect HTTP-based C2 traffic. Most organizations log and inspect HTTP and HTTPS traffic for anomalous behavior; far fewer apply equivalent scrutiny to DNS query traffic. DNS queries are rarely blocked outright, blend into the continuous background noise of normal operational traffic, and are frequently absent from security information and event management configurations that focus on application-layer protocols.
Querying TXT records at a CDN-adjacent subdomain every five minutes produces traffic indistinguishable at the network layer from legitimate DNS activity. Detection requires either DNS-layer monitoring with behavioral analytics or endpoint-based detection of the polling process — neither of which is universally deployed in developer environments.
Go Module Caching Creates Persistent Exposure After Package Deletion
The original malicious GitHub account hosting shopsprint/decimal has been deleted. However, Go’s module caching system means deletion provides incomplete protection. Any developer who executed go get github.com/shopsprint/decimal before the account was removed still has the malicious module cached locally and will continue to use it in subsequent builds unless that cache entry is manually removed. The cached module takes precedence over a re-fetched result, preserving the backdoor in build environments even after the upstream source disappears.
This persistence mechanism is a deliberate design challenge for defenders responding to malicious Go module incidents: removal from the source repository does not automatically remediate developer machines that already downloaded the package.
Why Financial and Crypto Developers Are the Target
The shopspring/decimal library is purpose-built for applications requiring exact decimal arithmetic without floating-point rounding errors — precisely the requirement of payment processors, billing engines, cryptocurrency transaction calculators, and financial reporting tools. Developers writing these applications are high-value targets: they build software that processes financial transactions, and their development environments often contain access tokens, API keys, and credentials for financial and cloud infrastructure that an attacker can immediately exploit.
A DNS-polling backdoor on a financial software developer’s machine provides an attacker with persistent command execution capability in an environment with disproportionate access to sensitive financial systems.
Scope of the shopspring/decimal Targeting and Required Response
The deliberate targeting of a precision arithmetic library used in financial and cryptocurrency applications distinguishes this campaign from opportunistic supply chain attacks. Developers working on Go-based financial software should audit their module caches for any entry matching github.com/shopsprint/decimal, verify that the legitimate github.com/shopspring/decimal (with ‘g’) is the version in use, and treat any historical installation of the typosquat as a full host compromise requiring credential rotation for all services accessible from the affected machine.
