Hi team,
I hope you are well. I found a dependency confusion vulnerability in this repo.
When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/Makefile#L188
go get github.com/GoASTScanner/gas
I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.
1.) I forked https://github.com/securego/gosec
2.) I changed the repo name from gosec to gas
3.) I changed my username from akincibor to GoASTScanner
4.) I re-changed my username from GoASTScanner to `akincibor
Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.
Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.