Typosquatting package names allows remote code execution

My student Nikolai Tschacher has released his bachelor thesis about typosquatting attacks on command-line based package managers. Nikolai carried out a covert field study in order to determine to what extent software developers make typos when they install packages on the command line. Installing packages on the command line has become popular with the advent of frameworks like NodeJS (npm) and languages like Ruby (gem).

Typos during installation endanger development and production machines. The open nature of many repositories allows anyone to upload a malicious package, whose name resembles another very popular package. This is especially problematic because on many platforms packages can execute arbitrary code during installation, which may be executed with superuser privileges.

While our findings – developers do make quite a lot of typos – are not particularly surprising, they created quite a buzz on Hackernews, Reddit, and Twitter.

The thesis also contains a section on countermeasures. Until those have been deployed we encourage package repository maintainers to be on the lookout for malicious upload activities.