Module path confusion + LICENSE strip = the three-hit combo of a supply-chain attack
Confidence Likely
Updated 2026-05-26
Review by 2026-09-22
Sources 3
Machine-translated Original (JA) #security/supply-chain#security/dependency#security/dd
On this page
Wiki route
This entry sits under FinWiki index. Read it with fork-and-rebrand audit framework for peer context and systems index for the broader dependency boundary.
[!info] TL;DR A combination of 3 independent operations forms a supply-chain attack: (1) spoof the upstream (e.g., github.com/cosmos/…) in the module path of go.mod / package.json; (2) hijack the spoofed path to one’s own fork with a replace directive; (3) delete the LICENSE of the main repository. When a downstream user imports the “legitimate” path, what actually executes is the fork. On the regulated VASP route, this kind of attack surface is partially covered by the Domestic VASP security / audit / ISMS certification landscape system.
1. Module path confusion
- Go: module github.com/cosmos/cosmos-sdk, but the actual repository is github.com/
/x - npm: name @cosmos/sdk, but the scope is not owned by the company itself
- When a user runs go get github.com/cosmos/cosmos-sdk, they may obtain the spoofed fork via GOPROXY
2. Replace hijack
- go.mod contains replace github.com/cosmos/cosmos-sdk => ./fork
- When an upstream user pulls in the project, the replace passes through transparently and they are forced to use the fork
- Combined with the module path, this constitutes a double spoof
3. LICENSE strip
- No LICENSE file is placed in the main repository
- Even if the original project is a fork of Apache 2.0, downstream users are, legally, using it without a license
- This step is easily overlooked, yet it markedly expands the legal surface
Identification checklist
- Does the module path on line 1行 of go.mod match the GitHub URL?
- Is there a replace directive in go.mod?
- Is there a LICENSE / LICENSE.md / LICENSE.txt at the root of the main repository?
- Does the name field of package.json match the actual scope on the npm registry?
- Has the original fork name slipped into a commit message (e.g., a self-incriminating string like “for
”)?
When to Use
- Cases where a project claims to be “fully developed in-house” but the repository structure closely resembles a fork
- Cases where a downstream user riding on this dependency conducts a supply-chain risk audit — in major incidents like Bybit Lazarus hack, the real risk of social-engineering / build-toolchain attacks on the third-party-dependency side is fully exposed
- Cases where the legal side evaluates “which OSS this company uses / whether the licensing is appropriate”
When NOT to Use
- A project that explicitly states “fork of X” and retains the original LICENSE — this qualifies as a legitimate fork
- A purely application-layer project with no module-path concept
- A closed-source, un-auditable project (which must be addressed via another route) — for example, a case like Canton on a permissioned chain must follow a governance + auditor route rather than source diff
Provenance
- Case study (vaporware audit): a case where most of the code was directly copied from an upstream public-chain project, the upstream module path was spoofed in go.mod, it was hijacked to a local fork with replace, the LICENSE of the main repository was deleted, and the upstream project name leaked into a commit message, self-incriminating the project
Discovery
Keep reading
Read next
- Proxy-upgradeable contract rug pattern — admin upgrade rights as a backdoor This entry sits under security domain. Read it against bytecode forensic three-tier verify for the on-chain verification mechanics it depends on, and against ERC-4337 overview for the broade... security/proxy-upgrade-rug-pattern
- Rescuing Actively De-published Content — Using the Wayback Machine as a Forensic Weapon This entry sits under FinWiki index. Read it with forensic identity anchor chain for peer context and systems index for the broader evidence boundary. security/wayback-machine-as-forensic-tool
- Etherscan verified-source poisoning — why \"verified\" is not \"the bytecode\" This entry sits under security domain. Read it with bytecode forensic three-tier verify as the hands-on counterpart, and against proxy-upgrade rug pattern for the case where the shown source... security/etherscan-verified-source-poisoning
Links here
- LLM and AI agent applications in finance · 2026-05 application surface overview As of mid-2026, the LLM / AI-agent footprint in finance has bifurcated into shipped production surfaces (customer-facing chatbots, back-office automation, fraud / AML triage, developer copil... agent-economy/llm-agent-finance-application-overview-2026
- Bybit Lazarus $14.6 億 hack detailed analysis (2025-02) — largest crypto-asset outflow in history This entry sits under exchanges index. Read it against DMM Bitcoin 流出事件 詳細分析 (2024-05) — Lazarus 帰属 4,502.9 BTC for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broa... exchanges/bybit-lazarus-hack-detailed-analysis
- CEX matching engine + cold/hot wallet internal architecture This entry sits under exchanges index. Read it against 国内 VASP コールド保管 95% + 分別管理制度 for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regulatory bound... exchanges/cex-matching-engine-wallet-architecture
- Git history rewrite detection — recovering squashed and force-pushed states This entry sits under security domain. It is the source-code analogue of Wayback Machine as a forensic tool (which recovers de-published web content), and it feeds the people-layer work in f... security/git-history-rewrite-detection
- Typosquatting package detection checklist — npm / PyPI / Go name-confusion triage This entry sits under security domain. It generalizes the concrete attack in module path confusion + LICENSE strip supply chain attack into a reusable, registry-agnostic triage checklist, an... security/typosquatting-package-detection-checklist