Here’s an article on a real supply chain attack on Go. Who needs elaborate domain squatting when GitHub makes it easy. Again, FOSS independent attacks, but rather Go specific.
Unlike centralized package managers such as npm or PyPI, the Go ecosystem’s decentralized nature where modules are directly imported from GitHub repositories creates substantial confusion. Developers often encounter multiple similarly named modules with entirely different maintainers, as shown below. This ambiguity makes it exceptionally challenging to identify legitimate packages from malicious impostors, even when packages aren’t strictly “typosquatted.” Attackers exploit this confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects.