Go modules · proxy.golang.org

cos.googlesource.com/cos/tools.git

Remote Payload: matched "cURL "

Why PkgRadar flagged v0.0.0-20260603222957-5d7b1afb431c

Severity	Signal	Evidence
medium	Remote Payload	matched "cURL " · cos.googlesource.com/cos/[email protected]/src/cmd/cos_customizer/install_packages.go
medium	Remote Payload	matched "cURL " · cos.googlesource.com/cos/[email protected]/src/pkg/provisioner/install_packages_step.go
medium	Remote Payload	matched "cURL " · cos.googlesource.com/cos/[email protected]/src/pkg/tools/sbomutil/sbomutil.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260603222957-5d7b1afb431c`	High risk	41	2026-06-04

Block this in CI

PkgRadar gates cos.googlesource.com/cos/tools.git (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go cos.googlesource.com/cos/[email protected]