https://lab.atomdrift.org/file/0aa17ae1434d2d8f0012d9469048f95058b86f8c17a4afe054f406d0d5365164
It claims 24 findings for supply-chain/trojanized/app - "App package targets credentials for HTTP exfiltration" but all the evidence seems like pretty innocuous mostly JS stuff, and a quick browse through the repo finds no Go code at all. I'm not totally sure why it was in the Go proxy in the first place.
In any case, this seems like a spurious finding, which raised my eyebrow because it was a seemingly widely-depended-upon, hostile package.
edit: first! :)