A cracked malicious version of a Go package lay undetected online for years

Someone’s been abusing GitHub’s Go Module Mirror service, allowing the attack to persist.