<ul><li>A mirror proxy Google runs on behalf of developers of the Go programming language pushed a backdoored package for more than three years until Monday.</li><li>The Go Module Mirror caches open source packages available on GitHub and elsewhere to ensure compatibility and faster downloads.</li><li>Since November 2021, the Go Module Mirror has hosted a backdoored version of a widely used module.</li><li>The backdoored file used typosquatting, a technique that redirects users to a malicious file when they mistype or slightly vary the correct name.</li></ul>

Go Module Mirror served backdoor to devs for 3+ years

Discover more