Open
Description
http://incolumitas.com/2016/06/08/typosquatting-package-managers/
http://incolumitas.com/data/thesis.pdf
There is a thesis written about achieving RCE through typo squatting on popular package managers. The situation isn't quite so bad in Clojars as people can't copy someone else's group name, and Leiningen doesn't execute arbitrary code when JARs are downloaded (we do it at runtime 😄). Nonetheless, we should look at the paper, identify what our risks are, and mitigate them.
c.f. http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/, https://www.pytosquatting.org