English

GoSurf: Identifying Software Supply Chain Attack Vectors in Go

Cryptography and Security 2025-09-05 v2

Abstract

In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain security risks, as a single compromised package can have cascading impacts. Existing supply chain attack taxonomies overlook language-specific features that can be exploited by attackers to hide malicious code. In this paper, we propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our taxonomy identifies patterns in which language-specific Go features, intended for benign purposes, can be misused to propagate malicious code stealthily through supply chains. Additionally, we introduce GoSurf, a static analysis tool that analyzes the attack surface of Go packages according to our proposed taxonomy. We evaluate GoSurf on a corpus of widely used, real-world Go packages. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem, allowing developers and security analysts to prioritize code audit efforts and uncover hidden malicious behaviors.

Keywords

Cite

@article{arxiv.2407.04442,
  title  = {GoSurf: Identifying Software Supply Chain Attack Vectors in Go},
  author = {Carmine Cesarano and Vivi Andersson and Roberto Natella and Martin Monperrus},
  journal= {arXiv preprint arXiv:2407.04442},
  year   = {2025}
}
R2 v1 2026-06-28T17:30:08.045Z