Go modules · proxy.golang.org

github.com/parca-dev/opentelemetry-ebpf-profiler

Remote Payload: matched "curL "

Why PkgRadar flagged v0.0.0-20260608192129-78a99d74eac0

Severity	Signal	Evidence
medium	Remote Payload	matched "curL " · github.com/parca-dev/[email protected]/interpreter/luajit/extractor_aarch64.go
medium	Remote Payload	matched "curL " · github.com/parca-dev/[email protected]/interpreter/luajit/extractor_x86.go
medium	Remote Payload	matched "curL " · github.com/parca-dev/[email protected]/interpreter/luajit/offsets.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260608192129-78a99d74eac0`	High risk	36	2026-06-10
`v0.0.202624-0.20260603174733-ae8b18dc381b`	High risk	36	2026-06-06
`v0.0.202623`	High risk	36	2026-06-06
`v0.0.202619-0.20260528212143-a603630061b0`	High risk	36	2026-06-02
`v0.0.0-20260529230740-6e0f3ddf92f2`	High risk	36	2026-06-02
`v0.0.0-20260528163918-35d71dfde7ec`	Review	36	2026-05-29
`v0.0.202619-0.20260528161805-1047e9761e11`	Review	36	2026-05-29
`v0.0.0-20260528161805-1047e9761e11`	Review	36	2026-05-29
`v0.0.0-20260528142319-c9ad5c398d7b`	Review	36	2026-05-29
`v0.0.202619-0.20260528142319-c9ad5c398d7b`	Review	36	2026-05-29

Block this in CI

PkgRadar gates github.com/parca-dev/opentelemetry-ebpf-profiler (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/parca-dev/[email protected]