Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

Summary

A malicious Go module, github.com/shopsprint/decimal, typosquatting the popular github.com/shopspring/decimal library, was identified. The malicious module contains a DNS TXT record command and control channel, allowing a threat actor to execute commands on compromised machines.

Full text

Research/Security NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026

Indicators of Compromise

• domain — dnslog-cdn-images.freemyip.com
• domain — freemyip.com
• hash_sha256 — dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086
• hash_sha256 — 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41
• hash_sha1 — fd26f4ca4746ee390e22043a5e19ebf2b7fcd1f9
• hash_md5 — e3c6ce0440d9acd0f1cef1f0da3cdb5d

Entities