Search papers, labs, and topics across Lattice.
This study investigates a supply chain attack in the Go ecosystem, where attackers repackage legitimate Go modules with obfuscated code to create malicious versions. Through a combination of manual GitHub searches and a large-scale scan of 12.3 million index entries using a custom deobfuscating AST scanner, the researchers identified 2,289 malicious module versions. The findings reveal that traditional GitHub searches are insufficient for detecting the full scope of the compromise, as a significant number of malicious artifacts remain accessible via Go proxies even after being removed from GitHub.
Over 99% of malicious Go module versions remain retrievable via proxies long after GitHub has taken them down, exposing a critical gap in supply chain security.
We measure an automation-based supply chain campaign in the Go ecosystem. The attackers repackage legitimate Go modules under attacker-controlled owners, and embed them with obfuscated code for an import-triggered downloader. Our results come from two complementary analyses: a) a manual search on GitHub across 2,113 repositories and b) a large-scale scan of 12.3M index entries using a deobfuscating AST scanner (GOAST) that we implemented. As a result, we identified 2,289 malicious versions of legitimate Go modules. We demonstrate that purely GitHub-centric searches fail to identify the full extent of the compromise and are only effective for as long as the affected code is present on the platform. Moreover, our proxy-based measurements of the takedown-remediation gap reveal that among artifacts later found to be GitHub-unobservable (i.e., removed or suspended), at least 99.4% remained retrievable via Go proxy. Following our disclosure, GitHub has removed 684 malicious repositories and the Google Go team has remediated 1,377 module versions.