The BoltDB Go Module was found to be backdoored with malicious code that allowed hackers to remotely control infected computers through a command and control server. The malicious package, which was released in November 2021, was cached by the Go Module Mirror service and remained unnoticed for several years. Researchers discovered the issue on January 30, 2025, and it had affected thousands of organizations over three years. The incident highlights a significant flaw in the software supply chain ecosystem, with malicious packages still being searchable on Go Module Proxy. To mitigate such risks, it is essential to follow best practices and use tools like Snyk to secure the software supply chain.