In my last blog post about typosquatting package managers I discussed my findings about attacking the programming language package managers from rubygems.org, PyPi and npmjs.com.
This blog contribution generated quite some interest and people subsequently asked themselves whether other package managers might also be vulnerable to this hybrid attack (typosquatting involves a technical and psychological attack vector). During the time I wrote my thesis, I encountered some other package managers. A very good overview of some of the most recent package managers gives the github showcase page about package managers which is summarized in the table below:
| Package Manager Name | # of Stars on Github |
|---|---|
| bower/bower | 14257 |
| VundleVim/Vundle.vim | 11969 |
| npm/npm | 9664 |
| alcatraz/Alcatraz | 8936 |
| CocoaPods/CocoaPods | 8115 |
| composer/composer | 7909 |
| Carthage/Carthage | 7160 |
| jordansissel/fpm | 6722 |
| componentjs/component | 4503 |
| apple/swift-package-manager | 4318 |
| wbond/package_control | 3018 |
| pypa/pip | 2911 |
| chocolatey/chocolatey | 2741 |
| Masterminds/glide | 2163 |
| tmux-plugins/tpm | 1961 |
| Homebrew/brew | 1757 |
| rust-lang/cargo | 1705 |
| rubygems/rubygems | 1547 |
| caolan/jam | 1540 |
| volojs/volo | 1326 |
| gpmgo/gopm | 1027 |
| spmjs/spm | 882 |
| atom/apm | 690 |
| freshshell/fresh | 674 |
| ruslo/hunter | 436 |
| ocaml/opam | 425 |
| NuGet/Home | 367 |
The obvious question now is: How many of those package managers …
Continue reading