https://github.com/pvormste/noplib

Last synced: 2 days ago
JSON representation

Host: GitHub
URL: https://github.com/pvormste/noplib
Owner: pvormste
Created: 2026-03-31T09:32:58.000Z (2 months ago)
Default Branch: main
Last Pushed: 2026-03-31T11:47:23.000Z (2 months ago)
Last Synced: 2026-05-31T20:05:49.609Z (3 days ago)
Language: Go
Size: 1000 Bytes
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

          # noplib

A minimal Go library used as the attack target in the Go supply chain security research.

In its legitimate form it exports a single function:

```go

func CallToNopLib() string {

    return "expected call"

}

```

During testing, `lib.go` is modified to include a malicious `init()` that reads `MY_SECRET_CREDENTIAL` from the environment and prints it — simulating credential exfiltration at build time. The two attack variants tested are:

- **Re-tag attack:** the malicious commit is force-pushed onto the existing `v1.1.1` tag

- **New version attack:** the malicious code is published as a new `v1.1.2` tag

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/pvormste/noplib

Awesome Lists containing this project

README