I'd suggest the original article makes for better reading. <a href="https://socket.dev/blog/wget-to-wipeout-malicious-go-modules-fetch-destructive-payload" rel="nofollow">https://socket.dev/blog/wget-to-wipeout-malicious-go-modules...</a>
How does this get executed in practice? To my knowledge, simply go getting a package doesn't execute any code, so perhaps this has to run when the user imports the package in a running Go program?
The open source supply chain is obviously highly vulnerable to this sort of attack.<p>Less obvious is the motivation in this particular case. Why destroy someone's data with no real gain from it?