Malicious Actors are targeting Go packages on Github

ArghBlarg writes: Michael Henrikson describes his investigations into Go package manager 'supply chain' attacks and found at least one very suspicious package, typosquatting on one of the most popular logging libraries. The imposter package phones home to an IP he alleges belongs to the Chinese company Tencent:

It looks like the author utfave wants to know the hostname, operating system, and architecture of all the machines using their version of urfave/cli. The function extracts the system information and then calls out to the IP address 122.51.124.140 belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters. While this code won’t give them any access to systems, it’s highly suspicious that they collect this information and the actor can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting.

A good case for always going over your package imports, in any language, and ensuring you're either a) auditing them regularly, or b) keeping frozen vendored copies which you can trust.