The Trojan Source vulnerability allows supply-chain attacks on software written in C, C++, Go, Java, Javascript, Python and Rust. We're releasing details after a 99-day coordinated disclosure period, and some of these compilers will be patched quickly. See