Cybersecurity professionals are police officers and detectives first, technologists second. They are supposed to catch criminals who abuse technology. I find it distasteful to blame a tool and an entire community for things that criminals are responsible for.
There is nothing about Go, or Cargo, or Nuget, or any of the other systems that prevents criminals from committing crimes. Some cleverness can slow them down, or block certain roads to exploiting these systems, but managing risk in a supply chain is essential no matter which technology ecosystem is used.
Let's stop name-calling and throwing shade at specific tools and communities and get better at educating new-comers to the trade, and shaming and ostracizing the cyber-criminals who are causing the problems.
Just this year Microsoft removed 300 NuGet packages by mistake as they were trying to automate defenses. They got pretty bad press after that so you will get bad comments one way or the other.
NPM ecosystem is very open it is not a bug it is a feature. There are of course issues from being open but NPM already has a lot of security features in place.
There is nothing about Go, or Cargo, or Nuget, or any of the other systems that prevents criminals from committing crimes. Some cleverness can slow them down, or block certain roads to exploiting these systems, but managing risk in a supply chain is essential no matter which technology ecosystem is used.
Let's stop name-calling and throwing shade at specific tools and communities and get better at educating new-comers to the trade, and shaming and ostracizing the cyber-criminals who are causing the problems.