Safeguard
Tag

go-modules

Safeguard articles tagged "go-modules" — guides, analysis, and best practices for software supply chain and application security.

11 articles

Supply Chain Security

Anatomy of a Malicious Go Package Typosquat

A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.

Jul 10, 20266 min read
Security Guides

Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk

Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.

Jul 6, 20266 min read
Security Guides

Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End

The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.

Jul 3, 20266 min read
Threat Intelligence

Typosquatting across package registries (npm, Go, PyPI)

Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.

May 9, 20267 min read
Open Source Security

Go's 'go get' Remote Code Execution via Crafted Import Pa...

A deep dive into CVE-2018-16873, the Go 'go get' remote code execution vulnerability caused by crafted import paths and command injection in DVCS fetches.

Nov 30, 20258 min read
Open Source Security

Go module checksum database bypass risks

Go's GOSUMDB checksum verification is meant to be on by default, but Safeguard's research found roughly 1 in 6 CI pipelines quietly disable it.

Nov 18, 20257 min read
Open Source Security

How Snyk Open Source scans Go modules and resolves the Go...

How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.

Aug 29, 20257 min read
Engineering

Vendoring Dependencies: When It Helps and When It Hurts Security

Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.

May 25, 20257 min read
Engineering

Go Module Security: sumdb, GOPROXY and Private Modules

How Go's checksum database actually protects you, where GOPROXY ordering bites, and the GOPRIVATE mistakes that leak internal module paths to public infrastructure.

Feb 27, 20257 min read
Concepts

What is Repo-Jacking

Repo-jacking hijacks renamed or deleted GitHub namespaces to serve attacker code at trusted URLs. Here's how the redirect trick works and how to audit your exposure.

May 5, 20247 min read
Dependency Security

Golang Module Security and Verification

Securing your Go module supply chain with checksum databases, GOPROXY, and vendor directories.

Jul 22, 20235 min read
go-modules — Safeguard Blog