Here's an interesting hack:
- guess/find names of private packages used internally within companies,
- create public packages with the same names,
- wait until someone or some tool uses the public one by accident.
Unfortunately, this problem may be applicable to Cargo too! If someone wrote:
[dependencies]
company-internal = "1.0"
instead of
[dependencies]
company-internal = { version = "1.0", registry = "corpo" }
they could end up fetching and executing untrusted code.