Malicious Go Packages Mimic as Google’s UUID Library to Exfiltrate Sensitive Data

Security researchers have uncovered a long-running supply chain attack targeting the Go programming community.

The Socket Threat Research Team recently identified two malicious packages. github.com/bpoorman/uuid and github.com/bpoorman/uid.

That has been silently stealing data from unsuspecting developers for years. The attack relies on a technique called “typosquatting.”

Fake Go Packages Discovered

The malicious packages are designed to look almost identical to legitimate, widely used libraries like github.com/google/uuid and github.com/pborman/uuid.

The attacker used the username bpoorman to mimic the popular maintainer pborman.

Because these legitimate libraries are downloaded millions of times and used as standard utilities in Go applications, developers often type the names from memory.

A single typo, typing “bpoorman” instead of “pborman,” is all it takes to install the malware accidentally.

Once installed, the fake package behaves like the real one, correctly generating unique identifiers (UUIDs), making the attack very hard to detect.

How the Attack Works

While the package performs its expected duties, it contains a hidden trap. The attacker included a malicious helper function named Valid.

In the legitimate library, a similar function would check if an ID format is correct. However, in this fake version, the Valid function acts as a backdoor.

When a developer passes data into this function, such as user IDs, session tokens, or email addresses, the code secretly encrypts that information.

It then uploads the stolen data to dpaste.com, a public text-sharing website, using a hardcoded API token.

This process happens silently in the background, meaning sensitive information is leaked without any error messages or apparent signs of trouble.

Perhaps most alarming is how long this threat has persisted. The bpoorman/uuid package was first published in May 2021 and has remained live in the Go ecosystem for more than four years.

At the time of discovery, the malicious UUID package was still listed on pkg.go.dev, the primary discovery site for Go packages.

Although the uid package was removed from the search index, it remains downloadable through public mirrors. This Socket discovery serves as a critical reminder for developers to audit their dependencies.

Socket experts recommend that teams double-check their go.mod files to ensure they are importing the correct pborman.

Google libraries and not the malicious bpoorman imposter. Treat every new dependency as untrusted until it is verified.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.