A Review of Attacks Against Language-Based Package Managers

The liberalization of software licensing has led to unprecedented re-use of software. Alongside drastically increasing productivity and arguably quality of derivative works, it has also introduced multiple attack vectors. The management of software intended for re-use is typically conducted by a package manager, whose role involves installing and updating packages and enabling reproducible environments. Package managers implement various measures to enforce the integrity and accurate resolution of packages to prevent supply chain attacks. This review explores supply chain attacks on package managers. The attacks are categorized based on the nature of their impact and their position in the package installation process. To conclude, further areas of research are presented.