The author discovered an unusual case in Go’s checksum database involving non-Go repositories, like Github repositories with Ruby or Rust code. Through experimentation, the author found that arbitrary data can be pushed to the checksum database, potentially leading to abuse. This could allow for attacks like bypassing download restrictions, storing malware payloads, or even initiating a DoS attack on Go’s infrastructure. While not a severe issue, it highlights potential vulnerabilities that could be addressed. The author concludes by suggesting further exploration into the motives behind non-Go projects in the database and hints at ongoing research in this intriguing topic.
https://reverse.put.as/2024/05/24/abusing-go-infrastructure/