What other package managers are vulnerable to typo squatting attacks?

Posted on June 30, 2016 in Security • Tagged with security, Typosquatting, nuget, cargo • 6 min read

In my last blog post about typosquatting package managers I discussed my findings about attacking the programming language package managers from rubygems.org, PyPi and npmjs.com.

This blog contribution generated quite some interest and people subsequently asked themselves whether other package managers might also be vulnerable to this hybrid attack (typosquatting involves a technical and psychological attack vector). During the time I wrote my thesis, I encountered some other package managers. A very good overview of some of the most recent package managers gives the github showcase page about package managers which is summarized in the table below:

Package Manager Name # of Stars on Github
bower/bower 14257
VundleVim/Vundle.vim 11969
npm/npm 9664
alcatraz/Alcatraz 8936
CocoaPods/CocoaPods 8115
composer/composer 7909
Carthage/Carthage 7160
jordansissel/fpm 6722
componentjs/component 4503
apple/swift-package-manager 4318
wbond/package_control 3018
pypa/pip 2911
chocolatey/chocolatey 2741
Masterminds/glide 2163
tmux-plugins/tpm 1961
Homebrew/brew 1757
rust-lang/cargo 1705
rubygems/rubygems 1547
caolan/jam 1540
volojs/volo 1326
gpmgo/gopm 1027
spmjs/spm 882
atom/apm 690
freshshell/fresh 674
ruslo/hunter 436
ocaml/opam 425
NuGet/Home 367

The obvious question now is: How many of those package managers …

Continue reading

Typosquatting programming language package managers

Posted on June 08, 2016 in Security • Tagged with PyPi, Npmjs.com, rubygems.org, security, Typosquatting • 10 min read

Edit: It seems that the blog post and the thesis caused quite some interest. Please contact me under the following mail address: admin [|[at]|] incolumitas [[|dot|]] com

In this blog post, it is demonstrated how

  • 17000 computers were forced to execute arbitrary code by typosquatting programming language packages/libraries
  • 50% of these installations were conducted with administrative rights
  • Even highly security aware institutions (.gov and .mil hosts) fell victim to this attack
  • a typosquatting attack becomes wormable by mining the command history data of hosts
  • some good defenses against typosquatting package managers might look like

The complete thesis can be downloaded as a PDF.

In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems.

DNS Typosquatting

In the domain name system, typosquatting is a well known problem. Typosquatting is the malicious registering of a domain that is lexically similar to another, often highly …

Continue reading