Malicious third-party packages in the Go ecosystem pose significant threats to software supply chain security. Existing defenses rely on coarse-grained process- or container-level sandboxing, lacking fine-grained, package-level runtime policy enforcement. Method: This paper proposes a package-level least-privilege runtime policy enforcement mechanism. It introduces binary instrumentation, package-specific behavioral modeling, and dynamic permission control to precisely detect anomalous behaviors at runtime. Its lightweight policy engine is resilient to code obfuscation, effectively addressing blind spots of static analysis. Contribution/Results: This work is the first to realize fine-grained, package-level security policy enforcement in Go. Evaluated in real cloud environments, it incurs an average runtime overhead of less than 8.2%, maintains compatibility with mainstream Go versions, and significantly improves detection accuracy for malicious packages.

Modern software supply chain attacks consist of introducing new, malicious capabilities into trusted third-party software components, in order to propagate to a victim through a package dependency chain. These attacks are especially concerning for the Go language ecosystem, which is extensively used in critical cloud infrastructures. We present GoLeash, a novel system that applies the principle of least privilege at the package-level granularity, by enforcing distinct security policies for each package in the supply chain. This finer granularity enables GoLeash to detect malicious packages more precisely than traditional sandboxing that handles security policies at process- or container-level. Moreover, GoLeash remains effective under obfuscation, can overcome the limitations of static analysis, and incurs acceptable runtime overhead.