The big picture: The Go programming language was designed to offer a C-like syntax while prioritizing memory safety and security. Also known as Golang, Go has been growing in popularity among both legitimate developers and resourceful cybercriminals. Go, one of the most popular programming languages alongside "traditional" standards such as Python, C, and Visual Basic, was exploited to turn legitimate open-source projects into malicious software. The heart of the issue lay in the Google-owned proxy.golang.org service, which acts as a mirror for developers to quickly fetch and install Go modules without needing to access their original GitHub repositories.The supply chain attack was recently discovered by security company Socket Inc., which played a key role in taking the malicious package down. The Go Module Mirror hosted a modified version of a legitimate Go package called boltdb, which is used by thousands of other software packages. This malicious version entered the Google proxy server in 2021 and was served to Go developers at least until last Monday.Google's proxy service prioritizes caching for performance reasons, as Socket explained, and retains a cached package even after the original source has been modified. The cybercriminals used a typosquatting technique to create a new repository on GitHub (boltdb-go/bolt), with a URL that resembled the original, clean one (boltdb/bolt).The malicious module contained a backdoor payload managed by the threat actors through an external command-and-control server. After the module was fetched by Google's Go Module Mirror, the cybercriminals modified the GitHub repository by reverting the package to a clean version. This allowed the backdoor to go unnoticed while hiding in the proxy server for years.The backdoor was designed to create a hidden IP and port address, which were used to check the C2 server for further orders and commands. The IP belonged to hosting company Hetzner Online, a legitimate and trustworthy infrastructure provider, which offered an additional layer of "invisibility" to the malware. // Related StoriesSocket explained that, unlike other "indiscriminate" malicious operations, this particular Go backdoor was designed to maximize the likelihood of successful attacks and remain undetected for as long as possible. The company also faced resistance from Google in its efforts to take the malicious package offline.The security enterprise first requested the proxy managers remove the backdoored module last week, but the issue remained unresolved. After a follow-up this week, Google's Go Module Mirror finally addressed the problem a few days ago.