在 Python 領域裡常用 pip 安裝軟體:
$ pip install reqeusts
或是:
$ sudo pip install reqeusts
其他的平台也大致類似於這樣的動作。而在「Typosquatting programming language package managers」這篇文章裡,作者用 typo 之類的方式列出可能的名稱,像是這樣的名稱:
$ sudo pip install reqeusts
然後在這三個平台上發動攻擊,上傳了數百個套件並且觀察:
All in all, I created over 200 such packages and equipped them with a small program and uploaded them over the course of several months. The idea is to add some code to the packages that is executed whenever the package is downloaded with the installing user rights.
而這是「成果」: