Go Module Mirror

[peterGo]

Go Module Mirror

FYI

Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence    
https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence    

Go Module Mirror served backdoor to devs for 3+ years    
https://arstechnica.com/security/2025/02/backdoored-package-in-go-mirror-site-went-unnoticed-for-3-years/    

Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence    
https://www.reddit.com/r/golang/comments/1ii6l00/go_supply_chain_attack_malicious_package_exploits/?rdt=54944    

x/pkgsite: links can point at source code that may not match what is served by the module proxy #66653
https://github.com/golang/go/issues/66653

peter

[will....@gmail.com]

Looks like the package is still in the proxy, and sadly is used by one known person.

It would be useful if the proxy site had a tamper warning at the top of a package’s page when the code hash for the version has changed. Perhaps it would be useful to list all the tampered packages in a master list so we can see how pervasive the problem is.

[Will Faught]

Also I don’t see the version hash listed on the package page (browsing in iOS Safari). That would help to compare against the repo for tampering.

On Feb 5, 2025, at 9:25 AM, will....@gmail.com <will....@gmail.com> wrote:

Looks like the package is still in the proxy, and sadly is used by one known person.

--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/OWim0aBVTb4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/339b5b35-f44c-4b2a-ac7c-7d7e7a4ffa5an%40googlegroups.com.