Hijackable Go Module Repositories


The Go module ecosystem is unique because it’s decentralized. Other packaging systems like Pypi or NPM require developers to create accounts to upload their packages.

This gives the package platform the ability to moderate users and content. That isn’t the case with Go. Go developers publish modules by pushing their code to source control platforms like GitHub. Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module’s details.

Read more…
Source: VulnCheck