Ars Technica

Backdoored package in Go mirror site went unnoticed for >3 years

I think software development has a fundamental problem caused by its need for trust. As much as researchers admonish people to audit their dependencies by reading through its code, that's a cost in ...
Ars Technica

Go Module Mirror served backdoor to devs for 3+ years

A mirror proxy Google runs on behalf of developers of the Go programming language pushed a backdoored package for more than three years until Monday, after researchers who spotted the malicious code ...