As part of his thesis project, University of Hamburg student Nikolai Philipp Tschacher conducted a typosquatting attack which demonstrated that it was extremely easy to get developers, including some that work for the U.S. government and military, to run sketchy code. Tschacher first wrote some fake code and then researched the most popular packages on the PyPI, RubyGems, and NPM developer websites. He then uploaded his own code to those sites using names that were very similar to the popular packages.
Over several months, 17,000 different Web domains ran his fake code more than 45,000 times. Two of those domains belonged to the U.S. military. “There were also 23 .gov domains from governmental institutions of the United States,” Tschacher wrote in his thesis. “This number is highly alarming, because taking over hosts in US research laboratories and governmental institutions may have potentially disastrous consequences for them.”