Executive Summary
Socket reported that github.com/shopsprint/decimal is a long-running one-character typosquat of the legitimate github.com/shopspring/decimal Go module Socket opens in a new tab. GBHackers noted that the module sat clean for years to establish reputation before receiving its weaponized v1.3.3 update GBHackers opens in a new tab. The malicious v1.3.3 release added an init() goroutine that queried DNS TXT records and executed returned commands, giving attackers a stealthy command channel inside any application importing the typoed module, bypassing basic firewall layers Cybersecurity News opens in a new tab.
The source repository and owner were removed by disclosure time, but Go's public module proxy continued to serve the cached module artifact because proxy.golang.org permanently caches published module zips Go Modules opens in a new tab. Defenders must search source, go.mod, go.sum, vendored code, build caches, and released binaries for the typoed module path, replace it with the canonical github.com/shopspring/decimal path, and enforce checksum/proxy hardening guidelines CyberPress opens in a new tab.