
Security News
Open Source Maintainers Demand Ability to Block Copilot-Generated Issues and PRs
Open source maintainers are urging GitHub to let them block Copilot from submitting AI-generated issues and pull requests to their repositories.
Product
Peter van der Zee
Ryan Eberhardt
April 17, 2025
We're excited to announce that Socket’s support for Go is now generally available. If your repositories include Go projects, Socket will now automatically detect your go.mod
and go.sum
files and scan them for potential supply chain threats—no manual configuration required.
Go support has been available in preview for several months and has proven to be stable and reliable in production. Many users have already been benefiting from Go package scanning as part of our early access rollout, and today’s launch makes that protection available to everyone.
We’ve also had Go package pages live on the Socket site for some time. With today’s release, Go joins JavaScript, Python, Java, and Ruby as generally available languages with comprehensive scanning and alerting. (We also support Scala, Kotlin, and .NET today, and these languages will soon be moving to GA.)
While supply chain attacks are more common in ecosystems like JavaScript and Python, Go is not immune. Earlier this year, Socket uncovered a campaign targeting Go developers with typosquatted packages delivering hidden malware on Linux and macOS. And in a separate case, our researchers identified a backdoored clone of the popular BoltDB package that exploited Go’s module proxy caching to persist undetected for over three years.
These attacks couldn’t be caught by looking at metadata alone—they required analyzing the actual code inside the package to uncover hidden backdoors and obfuscated behavior.
That’s why Socket doesn’t just look at a package’s version or origin. We analyze the actual code that gets installed. Our scanner detects obfuscation, network backdoors, misuse of exec.Command
, and other indicators of compromise, threats that would otherwise go unnoticed, especially when the repository looks clean.
If you’re now seeing Go alerts in places where you previously weren’t, that’s expected. Socket now scans Go modules automatically. But if you’re not using Go, or would rather not see these alerts, you can adjust this in your project settings. A new setting in the dashboard makes it easy to disable alerts for specific ecosystems.
Go support is now fully rolled out across Socket, giving every user automatic protection for Go projects. As attackers find new ways to hide malicious code in seemingly trustworthy packages, Socket's ability to analyze what a package actually does—not just where it comes from—helps developers stay ahead of emerging threats.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Open source maintainers are urging GitHub to let them block Copilot from submitting AI-generated issues and pull requests to their repositories.
Research
Security News
Malicious Koishi plugin silently exfiltrates messages with hex strings to a hardcoded QQ account, exposing secrets in chatbots across platforms.
Research
Security News
Malicious PyPI checkers validate stolen emails against TikTok and Instagram APIs, enabling targeted account attacks and dark web credential sales.