When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
In the fork, they added malicious code, which granted the attacker backdoor access to compromised computers.
That instance was then cached indefinitely by the Go Module Mirror service.
“This is possible because Git tags are mutable unless explicitly protected,” Socket said.
“A repository owner can delete and reassign a tag to a different commit at any time.
The malicious version ended up permanently accessible through the Go Module Proxy, Boychenko explained.
We are addressing this through fixes like capability analysis via Capslock and running comparisons withdeps.dev.
We want to thank Socket and the Go team contributors that detected the module and are addressing fixes.
