Malicious code in github.com/boltdb-go/bolt (Go)
github.com/boltdb-go/bolt is a malicious Go package that typosquats the legitimate BoltDB library. It contains a backdoor enabling remote code execution on systems that install it.
- Disclosed
- Last updated
- Blast radius
- Any Go project that depends on github.com/boltdb-go/bolt instead of the legitimate BoltDB package
- Ecosystems
- Attack vectors
- Affected entities
- github.com/boltdb-go/boltMalicious typosquat package containing remote code execution backdoor
A malicious Go package named github.com/boltdb-go/bolt has been identified as a typosquat of the legitimate BoltDB package. The package contains a backdoor that enables remote code execution (RCE) on affected systems.\n\nThe malicious package is designed to deceive developers into installing it instead of the legitimate BoltDB library, likely through typos or confusion in dependency specifications. Any Go project that mistakenly depends on this malicious package is at risk of code execution compromise.\n\nThis incident was reported via the Google Open Source Security advisory system.
Indicators of compromise
- Packages
- github.com/boltdb-go/bolt
Remediation
- Audit all Go project dependencies to identify any use of github.com/boltdb-go/bolt
- Replace any instances of github.com/boltdb-go/bolt with the legitimate github.com/boltdb/bolt package
- Review and rotate any credentials or secrets that may have been exposed on affected systems
- Scan affected systems for signs of unauthorized access or code execution
- Update to the latest version of the legitimate BoltDB package
Sources
- GitHub Advisory GHSA-9gmm-c6g7-rqg9 · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/boltdb-go/bolt (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-boltdb-go-bolt-go-sgi4xv
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- resolvedcritical
Malicious code in github.com/shallowmulti/hypert (Go)
A malicious Go package github.com/shallowmulti/hypert was published as a typosquatting attack, designed to act as a loader for downloading and executing additional malicious payloads on Linux and macOS systems. The package was identified and reported via the GitHub Advisory Database.
GoTyposquattingCompromised package - resolvedcritical
Malicious code in github.com/ornatedoctrin/layout (Go)
A malicious Go package github.com/ornatedoctrin/layout was identified as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.
GoTyposquattingCompromised package - resolvedcritical
Malicious code in github.com/shadowybulk/hypert (Go)
A malicious Go package, github.com/shadowybulk/hypert, was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.
GoTyposquattingCompromised package - resolvedcritical
Malicious code in github.com/thankfulmai/hypert (Go)
A malicious Go package github.com/thankfulmai/hypert was published as a typosquatting attack targeting Linux and macOS systems. The package functioned as a loader to download and execute additional malicious payloads.
GoTyposquattingCompromised package