Looks like the package is still in the proxy, and sadly is used by one known person.
It would be useful if the proxy site had a tamper warning at the top of a package’s page when the code hash for the version has changed. Perhaps it would be useful to list all the tampered packages in a master list so we can see how pervasive the problem is. On Wednesday, February 5, 2025 at 5:11:17 AM UTC-8 peterGo wrote: > Go Module Mirror > > FYI > > Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching > for Persistence > > https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence > > > > Go Module Mirror served backdoor to devs for 3+ years > > https://arstechnica.com/security/2025/02/backdoored-package-in-go-mirror-site-went-unnoticed-for-3-years/ > > > > Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching > for Persistence > > https://www.reddit.com/r/golang/comments/1ii6l00/go_supply_chain_attack_malicious_package_exploits/?rdt=54944 > > > > x/pkgsite: links can point at source code that may not match what is > served by the module proxy #66653 > https://github.com/golang/go/issues/66653 > > peter > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/339b5b35-f44c-4b2a-ac7c-7d7e7a4ffa5an%40googlegroups.com.
