how does this keep happening?

A backdoor in a Go programming language module was active for over 3 years due to a supply chain attack, exploiting a Go module mirror's caching system. This highlight emphasizes the inherent risks associated with relying on third-party code in languages like Go, Python, Rust, and JavaScript. The attack utilized typo squatting to trick developers into downloading malicious packages. Despite the malicious GitHub package being cleaned up, the security loophole underscores the need for better verification and review processes for cached packages.