The liberalization of software licensing has led to unprecedented re-use of software. Alongside drastically increasing productivity and arguably quality of derivative works, it has also introduced multiple attack vectors. The management of software intended for re-use is typically conducted by a package manager, whose role involves installing and updating packages and enabling reproducible environments. Package managers implement various measures to enforce the integrity and accurate resolution of packages to prevent supply chain attacks. This review explores supply chain attacks on package managers. The attacks are categorized based on the nature of their impact and their position in the package installation process. To conclude, further areas of research are presented.

翻译：软件许可的自由化导致了前所未有的软件复用。在显著提升生产效率及衍生作品质量的同时，这也引入了多种攻击向量。旨在复用的软件通常由包管理器进行管理，其职责包括安装和更新软件包，以及实现可重现的环境。包管理器会实施多种措施来确保包的完整性和准确解析，以防止供应链攻击。本综述探讨了针对包管理器的供应链攻击，并根据攻击影响的性质及其在包安装过程中的位置进行了分类。最后，本文提出了进一步的研究方向。