Why Using go get @latest Can Let Hackers Hijack Your Server

Blindly running `go get @latest` can pull malicious packages into your Go project, as supply‑chain attacks exploit the latest version tag; the article explains the underlying threat, examines Go’s MVS and SumDB defenses, and details the proposed cooldown mechanism to mitigate such risks.

CooldownGoMVS

0 likes · 11 min read

Why Using go get @latest Can Let Hackers Hijack Your Server

TonyBai

Mar 14, 2026 · Information Security

How Go sumdb Defends Against Supply‑Chain Attacks with Transparent Logs and Tiling

The article explains how Go's checksum database (sumdb) uses append‑only transparent logs, Merkle‑tree proofs, and a novel tiling algorithm to provide cryptographic existence and consistency guarantees, protecting developers from covert supply‑chain attacks and fork attacks.

Consistency ProofGoMerkle Tree

0 likes · 14 min read

How Go sumdb Defends Against Supply‑Chain Attacks with Transparent Logs and Tiling