Typosquatting Package Managers

Fascinating attack on unmoderated package managers for programming libraries (via former TimeDoctor contributor, Vogon)  that would work just as well on unmoderated app stores:

In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems

[…]

So basically we create a fake package that has a similar name as a famous package on PyPi, Npmjs.com or rubygems.org. For example we could upload a package named reqeusts instead of the famous requests module.

It ends up being very successful:

In two empirical phases, exactly 45334 HTTP requests by 17289 unique hosts (distinct IP addresses) were gathered. This means that 17289 distinct hosts executed the program above and sent the data to the webserver which was analyzed in the thesis. The number of HTTP requests is for various reasons higher than the number of distinct IP addresses. The main reason is that pip executes the setup.py file twice on installation. Don’t ask me why.

Author: Jack Slater

A Philadelphian exiled to Hawaii. You can follow or contact me on Twitter where I'm @TimeDoctor, via the contact page, or via e-mail to zjs AT zacharyjackslater dot com More here.

Leave a Reply