Hijacked Go packages deploy infostealer via VS Code tasks

The supply-chain story leads: researchers found 16 Go packages, alongside hijacked npm modules, smuggling fake font files that abuse VS Code tasks to drop a Python infostealer. Audit your go.sum before the long weekend. On the language side, jba has filed a proposal to add insertion ordering to the still-incubating container/hash.Map, so iteration could optionally behave less like the built-in map's random walk. Elsewhere, a Medium piece argues that Green Tea GC shipping as the default has quietly invalidated a lot of latency dashboards, with alerts firing for the wrong reasons against the new pause model. A good prompt to revisit those thresholds.