Edit: It seems that the blog post and the thesis caused quite some interest. Please contact me under the following mail address, since my mail server on this VPS is constantly down :/ tschachn [|[at]|] hu-berlin [[|dot|]] de
- 17000 computers were forced to execute arbitrary code by typosquatting programming language packages/libraries
- 50% of these installations were conducted with administrative rights
- Even highly security aware institutions (.gov and .mil hosts) fell victim to this attack
- a typosquatting attack becomes wormable by mining the command history data of hosts
- some good defenses against typosquatting package managers might look like
The complete thesis can be downloaded as a PDF.
In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries …