Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Product
Arjun Barrett
August 2, 2023
Today is an exciting day for all Go developers! We're thrilled to unveil Socket's early access support for the Go programming language.
Since we started Socket, our mission has been to fortify the software supply chain against attacks. We began our journey safeguarding JavaScript applications against the dangers of the NPM ecosystem. Over the last few months, we've been hard at work detecting and defending against threats unique to Python. Now, we're taking a significant leap by extending our support to Go, or as many of you fondly call it, Golang!
Go's lightning speed, concurrency support, and simple syntax have made it an ideal choice for various applications – from web servers to networking tools and data pipelines. Given Go's increasing popularity as a general purpose language, it's only natural that the ecosystem surrounding Go would grow. However, as with all burgeoning ecosystems, it has become a target for potential supply chain threats.
After being introduced in 2018, Go Modules clarified Go's dependency management situation, bringing reproducibility and verifiability to the Go ecosystem. But Go Modules are not immune to threats. Over the past few months, we've observed an uptick in supply chain attacks targeting Golang. Recognizing this imminent threat, we knew it was time to bring Socket's proven proactive protection to Go.
Adding support for Go wasn't without its challenges:
go.sum
file isn't a lockfile, but rather Go's last line of defense against hijacked version tags in VCS repositories and module proxies. While it's an important part of keeping Go's ecosystem secure, it alone cannot protect against dangerous code within a Go module.go.mod
file and Minimal Version Selection. A security tool needs to understand potential vulnerabilities in Go's module resolution scheme and the dangers that can be introduced via transitive dependencies. As we've seen in the npm ecosystem, when security tools fail to properly parse the dependencies in use, chaos and security flaws often follow.Our team has been hard at work understanding the intricacies of Go and ensuring that Socket can offer the same robust protection for Go projects that it does for JavaScript and Python.
As we roll out broader support for Go, we're currently offering an "early access" phase with beta features and functionality for all customers. This phase will allow us to fine-tune our Go offering, ensuring that when we launch Go support with all of Socket's core analysis techniques in the near future, our integration is the best it can be.
go.mod
files with verification against go.sum
checksumsWe're doubling down on our efforts to strengthen our Go capabilities. In the coming weeks, expect:
If Go forms the backbone of your software projects and you're eager to enhance their security, try out our package search and issue pages on the Socket website or upload a report with your go.mod
files through our CLI.
We remain committed to our mission: making open-source software secure for every developer, regardless of the language they code in. Our journey with Go has just started, and we're eager to have you be part of it.
Questions, feedback, or just want a chat? Schedule a demo with our technical experts. Let's make Golang development safer together!
Happy Go coding! 🚀
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.