I'd suggest the original article makes for better reading. https://socket.dev/blog/wget-to-wipeout-malicious-go-modules...

How does this get executed in practice? To my knowledge, simply go getting a package doesn't execute any code, so perhaps this has to run when the user imports the package in a running Go program?

The open source supply chain is obviously highly vulnerable to this sort of attack.

Less obvious is the motivation in this particular case. Why destroy someone's data with no real gain from it?