Because the Go and Packagist registries don't require additional publishing credentials like NPM and PyPI North Korean threat actors have been able to compromise legitimate packages via their PolinRider campaign.