There would also (by necessity) be a change in the centralized `go.mod` file (and `go.sum`) that corresponds to the addition of the new, almost-duplicate package being imported. Definitely spottable. Unless someone is using the deprecated GOPATH functionality, in which case things might be harder to spot. However, the author specifically pointed out how rare this attack seems to be in the Go ecosystem.

If the author identified malicious repos on user accounts that were created solely to make those malicious repos... it seems like something the author should have reported to GitHub. I wonder if GitHub would actually do anything, though.

By the time it’s in your go.mod, the malicious software has already been downloaded and installed on your machine, though. Damage may already have been done at that point.

Ah, thanks for clearing this up - I've thought I had no idea what I was speaking about.

It's a bit silly that people fuss over go package path names.

Any non-trivial app would use a preprocessor to manage the import lines. This problem was solved 40 years ago.

I think I just made an example of receiving a merge request somewhere on Github, where you don't have access to the preprocessor or are not running it yourself. It is easy to accept the change when the change looks so much like lines in other files.

The issue was resolved by the comment on the same level, however your comment added 0 to the discussion.