Beyond Takedown: Measuring Malicious Go Module Persistence in the Wild

๐Ÿ“… 2026-06-24
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF
๐Ÿค– AI Summary
This study addresses the persistent availability of malicious Go modules through the official Go proxy despite their removal from GitHub, revealing a critical remediation gap between GitHubโ€™s content takedown mechanisms and the Go proxyโ€™s caching behavior. By integrating manual investigation, large-scale indexing via a custom GOAST deobfuscation-based AST scanner, and proxy observability analysis, the authors identified 2,289 supply chain attack samples masquerading as legitimate modules. Their findings prompted GitHub to remove 684 malicious repositories and led the Google Go team to purge 1,377 compromised modules. Notably, the study demonstrates that 99.4% of modules deleted from GitHub remained distributable via the Go proxy, underscoring that platform-level takedowns alone are insufficient to mitigate software supply chain threats.
๐Ÿ“ Abstract
We measure an automation-based supply chain campaign in the Go ecosystem. The attackers repackage legitimate Go modules under attacker-controlled owners, and embed them with obfuscated code for an import-triggered downloader. Our results come from two complementary analyses: a) a manual search on GitHub across 2,113 repositories and b) a large-scale scan of 12.3M index entries using a deobfuscating AST scanner (GOAST) that we implemented. As a result, we identified 2,289 malicious versions of legitimate Go modules. We demonstrate that purely GitHub-centric searches fail to identify the full extent of the compromise and are only effective for as long as the affected code is present on the platform. Moreover, our proxy-based measurements of the takedown-remediation gap reveal that among artifacts later found to be GitHub-unobservable (i.e., removed or suspended), at least 99.4% remained retrievable via Go proxy. Following our disclosure, GitHub has removed 684 malicious repositories and the Google Go team has remediated 1,377 module versions.
Problem

Research questions and friction points this paper is trying to address.

Go modules
supply chain attack
malicious persistence
code obfuscation
takedown gap
Innovation

Methods, ideas, or system contributions that make the work stand out.

GOAST
deobfuscating AST scanner
supply chain attack
Go module persistence
takedown-remediation gap
๐Ÿ”Ž Similar Papers
No similar papers found.
๐Ÿ’ผ Related Jobs
No related jobs found.