The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.
This can be caused by malicious unquoted symbol name in a linked object file.