A Review of Attacks Against Language-Based Package Managers

TL;DR

This paper reviews various supply chain attacks on language-based package managers, categorizing attack types and discussing measures to prevent such security threats in software reuse environments.

Contribution

It provides a comprehensive categorization of supply chain attacks on package managers and highlights areas for future research in securing software supply chains.

Findings

Supply chain attacks target package managers at various stages.

Current measures to prevent attacks are discussed and evaluated.

Identifies gaps and future research directions in package manager security.

Abstract

The liberalization of software licensing has led to unprecedented re-use of software. Alongside drastically increasing productivity and arguably quality of derivative works, it has also introduced multiple attack vectors. The management of software intended for re-use is typically conducted by a package manager, whose role involves installing and updating packages and enabling reproducible environments. Package managers implement various measures to enforce the integrity and accurate resolution of packages to prevent supply chain attacks. This review explores supply chain attacks on package managers. The attacks are categorized based on the nature of their impact and their position in the package installation process. To conclude, further areas of research are presented.