๐ค AI Summary
This study addresses the persistent availability of malicious Go modules through the official Go proxy despite their removal from GitHub, revealing a critical remediation gap between GitHubโs content takedown mechanisms and the Go proxyโs caching behavior. By integrating manual investigation, large-scale indexing via a custom GOAST deobfuscation-based AST scanner, and proxy observability analysis, the authors identified 2,289 supply chain attack samples masquerading as legitimate modules. Their findings prompted GitHub to remove 684 malicious repositories and led the Google Go team to purge 1,377 compromised modules. Notably, the study demonstrates that 99.4% of modules deleted from GitHub remained distributable via the Go proxy, underscoring that platform-level takedowns alone are insufficient to mitigate software supply chain threats.
๐ Abstract
We measure an automation-based supply chain campaign in the Go ecosystem. The attackers repackage legitimate Go modules under attacker-controlled owners, and embed them with obfuscated code for an import-triggered downloader. Our results come from two complementary analyses: a) a manual search on GitHub across 2,113 repositories and b) a large-scale scan of 12.3M index entries using a deobfuscating AST scanner (GOAST) that we implemented. As a result, we identified 2,289 malicious versions of legitimate Go modules. We demonstrate that purely GitHub-centric searches fail to identify the full extent of the compromise and are only effective for as long as the affected code is present on the platform. Moreover, our proxy-based measurements of the takedown-remediation gap reveal that among artifacts later found to be GitHub-unobservable (i.e., removed or suspended), at least 99.4% remained retrievable via Go proxy. Following our disclosure, GitHub has removed 684 malicious repositories and the Google Go team has remediated 1,377 module versions.